My Review for Memory Forensics Masterclass for Incident Responders Certification
Introduction
I took the BlackPerl DFIR Memory Forensics Masterclass for Incident Responders course and passed their exam back in 2023. Thus, I thought, it would be helpful to share my modest opinion about the course overall, so you may better set your expectations and results when finishing the course, and hopefully learn something from this simple review.
Below are the pros and cons based on my point of view.
Pros
- Providing minimum baseline (methodology) for actions need to be taken in order to analyze a memory dump.
- Talking about many memory acquisition tools
- Talking about many useful plugins and their usages
- Talking about some memory foundation topics before delving into memory forensics
- Docker Memory Forensics
- Creating timeline for memory events using different methods.
- Teaching how to make a custom volatility profile
- Talking about some challenges might have arised in context of memory acquisition such as Deadlock, memory leak, etc.
- Case studies are good especially the first one.
- Their practical exam is not easy as you need to analyze a given memory dump to find the root cause of the incident.
Cons
- Sometimes, they explain water by water, as in such terms or techniques, such as AtomBombing (It is great to mention such a technique, but what is Atom for example is not explained well, so whole term is not understood well), DPC (Deferred Procedure Call), etc.
- Linux and MacOS are not really given their required attention in the course.
- I expected that they touch a bit some Windows Internals concepts related to memory such as SSDT, VAD, etc – which leads me to the next point
- A lot of Volatility plugins that are useful in IR, were not discussed such as apihooks, SSDT, VAD related-plugins, volshell, etc. (I know that one course cannot cover everything for sure, but there are some really important plugins need to be discussed for IR)
- No usage of external Volatility plugins at all
- When discussing some important techniques such as Process Hollowing, please show me how it is done in practice to understand it much better.
- When talking about how to acquire RAM after reboot using Afterlife tool, please show me how!
- In my opinion, music in the background makes the course less professional to be delivered as someone might not want to listen to it and make the video a bit noisy to be heard.
Conclusion
This is my humble honest feedback about the course. lastly, I might have made some mistakes in reviewing the course or forgetting to mention some items, so kindly excuse me. Overall, it was a good course where it teaches you how to acquire and forensically analyze memory dumps.
Overall Rating
7/10
Thank you for reading!
Related Posts
My Review on Certified CyberDefender Certification
My humble opinion about the Memory Forensics Section of CCD
My Review on How to Collect and Analyze Random Access Memory Course from DFIR Science
My modest opinion about the Memory Forensics course from DFIR Science
My Review on the Memory Forensics Black Hat Training Course by Monnappa K A
My humble opinion about the memory forensic Black Hat training course, with free and affordable resources if you cannot afford it