My Review on 13Cubed Investigating Windows Memory Course

Introduction
As I usually take many cybersecurity courses and certifications, I decided to check out the “Investigating Windows Memory” course from 13Cubed.
As we know, memory forensics plays a crucial part in DFIR investigations and compromise assessments. This course is relatively new (at the time of writing this) and dedicated in memory forensics for windows images, which is provided by the one and only Richard Davis!
Before enrolling in this course, it is recommended that you take Investigating Windows Endpoints from 13Cubed, or have the Windows endpoints forensics equivalent knowledge of the material covered within that course.
This blog will review in detail the course with its exam, as I have already provided a brief overview about it here.
So, What Will You Learn by Taking this Course?
The 13Cubed Investigating Windows Memory (IWM) is one of the most well-organized only-dedicated detail-oriented memory forensics course in the industry. The course contains 54 lessons (at the time of writing this, therefore, expect to have more over time). So, here I will just briefly outline the topics that the course covers:
- Setting up your environment for memory forensics
- Memory Acquisition
- Memory Forensics using strings and bstrings
- Memory Analysis with Volatility
- Malware Memory Analysis with Volatility
- Memory Analysis with MemProcFS (A really great tool)
- Malware Memory Analysis with MemProcFS
- Introduction to WinDbg (That is a low-level tool – advanced tool)
- Additional Content that includes more specific topics and challenges for further practice
Overview about the IWM Course and Its Exam
This course is medium-length around 10 hours of video content, and it approximately needs between 20-40 hours to complete with active practice. It is a blue-team class as you have thought and was created to purely teach you memory forensic’s concepts and tools on Windows. I would say that it is one of the best on-demand courses I took for memory forensics on Windows till now ~ 01/2025
The course content is basically made of videos that you can watch and follow along, and for some lessons, there may have some documentations, notes or resources under it, in addition to the comments sections for your questions!
The course begins with an overview of what to expect and guides you through the setup of essential tools for memory acquisition and analysis. You will gain a the needed information in Windows internals to understand the material, including the parent-child relationships of core Windows processes, and learn best practices for acquiring memory dumps from physical systems and virtualized environments. After that, the author talks about using strings in memory forensics as he called it ~ the Poor man forensics. The course talks in detail (longest module) Volatility 2 and Volatility 3 (going back and forth between them to provide the same level of details) and malware analysis with Volatility. This section is then followed by MemProcFS and how powerful it is in memory forensics to mount a memory dump as a virtual disk drive and how easily to find evil using it. After that, WinDbg is explained briefly and the course ends with additional content and the exam assessment.
The Investigating Windows Memory course ends with a theoretical and practical exam that you need to pass with 70% at least to get the certification. If you paid attention during the course, you would pass from the first attempt and take the gold badge! ~ Here is mine 🙂
The exam does not require you to write a report, instead, questions to be answered based on the knowledge you gained throughout the course, and practically investigating a memory dump that was specifically crafted for the exam assessment!
Here is the passing criteria that you may want to know:
- Passing the exam with >=70% -> Gold Credentials – From the first attempt!
- Passing the exam with >=70% -> Silver Credentials – From the second attempt.
- Passing the exam with >=70% -> Bronze Credentials – From the third attempt or more.
My Humble Opinion on the Course
The course as a whole is one of the best intermediate-ish on-demand memory forensics course. It mainly focuses on two of the major memory forensics tools: Volatility Framework (2 and 3 versions with an equal footing) and MemProcFS.
It is designed to be beginner-friendly, even though it leans more towards an intermediate-level certification. It will help you to be more a well-rounded practitioner in windows memory forensics. I really enjoyed going through the material, paying attention to some tips and tricks, and practicing them myself.
Every course has its pros and cons, but I wouldn’t call them ‘cons’ in this course – rather, areas for improvement, as it is truly well-put together. I have also added a “points to consider” section below for some considerations that others might want to know in my opinion.
I know that nothing is perfect, so here is my humble overview about the course with its exam:
Pros:
- This course discusses topics with attention to small details that are not really mentioned out there and I was looking for exactly that such as symbol tables, .vmss and .vmsn formats, some best practices especially in memory acquisition that you may not know, etc. Not only that, but a lot of other small details, tips and tricks that help fill knowledge gaps.
- The memory acquisition module contains great tips that many practitioners are unaware of, leading to poor practices, which the author addresses.
- The course talks about Windows internals concepts and some data structures such as EPROCESS, PEB, SSDT, VAD, DKOM, etc.
- The course talks about the expected parent-child relationships of some core Windows processes.
- The course maintained a great balance between using Volatility 2 and Volatility 3, seamlessly transitioning between the two to provide a comprehensive understanding of both versions.
- I appreciated that the course highlighted the differences between *list and *scan-based plugins. This is an often-overlooked topic, as many people use plugins without truly understanding how they work behind the scenes.
- The course sheds the light on advanced topics that often left out in courses such as Volshell, WinDbg, etc.
- Having an active community and the opportunity to get questions answered is a fantastic advantage.
- It is awesome that the course covers various memory dump formats and delves into virtual memory files like the Page file, Swap file, and Hibernation file.
- Not avoiding having having errors in tutorials, but instead explaining why they occurred, and how to fix them! In this course, the author was embracing that.
- Installing external plugins and using them in Vol2 and Vol3 were an added value, because Volatility is extensible and we have a lot of community plugins at our disposal
- It was a brilliant touch using WSL 2 to install Volatility 2 and Volatility 3, and not only that, but also mounting MemProcFS partition drive on WSL to easily slice and dice its content.
- Mentioning the use of Yara plugin and extracting IoC with a scenario-based challenge was great, because memory forensics is used a lot for root cause analysis and malware analysis.
- This was the first time, a course in memory forensics discusses about using windows.strings effectively!
- Analyzing registry and event logs using Disk Forensics tools while this is a memory forensics class is really an added value. Because, it is hard to completely separate them, and I really liked when discussing the analysis of the Windows Defender logs looking for 1116 and 1117 Event IDs, some registry hives, reading SQLite browser history, etc.
- Discussing code injection and process hollowing is a huge plus
- Having a lot of images to practice on – 5 images in total, with 2 more added images in Trouble at ACME challenge is immensely good. Because we know what we practice on only 🙂
Cons:
- A good memory acquisition module overall, but it lacks instructions on how to take a memory dump from two of the most commonly used hypervisors, especially for individuals: VMware Workstation Pro as a standalone product and VirtualBox.
- I know covering all Volatility plugins in a single course seems almost impossible, but some plugins are really important, but not mentioned, such as:
- MFT-related plugins were not discussed in Volatility 2/3 such as windows.mftscan (even though it was similarly covered using MemProcFS – NTFS and Files folders), using the plugins with the and corresponding MFTExplorer for example, that would be a great added value to be considered especially in Windows that uses NTFS file system.
- I would say windows.mftscan.ads is great to be talked about because, sometimes we discover useful information when exploring Alternate Data Streams (ADS).
- Even though malware analysis wasn’t the primary focus of the course, memory forensics remains one of the most powerful tools for uncovering what malware has done to a system. While some related plugins, like svcscan and schtasks, were briefly mentioned, I felt that malware persistence techniques deserved more attention. Additionally, an important plugin like windows.privileges could have been highlighted. This plugin analyzes the privileges assigned to processes, which can be a critical indicator of malicious activity by identifying unusual or elevated privileges that may raise suspicion.
- For Volatility2 cmdscan, cmdlist, and consoles were not discussed to extract the processes’ command lines.
- Other general important plugins such as envars (for environment variables), lsadump (very briefly mentioned in the Registry lesson), hashdump (to dump user hashes from memory), some external useful plugins such as Prefetch, etc.
- MFT-related plugins were not discussed in Volatility 2/3 such as windows.mftscan (even though it was similarly covered using MemProcFS – NTFS and Files folders), using the plugins with the and corresponding MFTExplorer for example, that would be a great added value to be considered especially in Windows that uses NTFS file system.
- We had some issues of output formatting in some lessons, so it was good to inform about using -r (for RENDERER “pretty” option ~ even though it was mentioned in the comments section), –hide-columns to hide some column output to make it fit on the screen, or even the very useful “dot” output in Volatility 2 (i.e. –output=dot –output-file=pslist.dot)
Points To Consider:
- The course does not teach you how to make a dedicated virtualized environment to safely analyze memory dumps, but mentioning and warning of not doing so (analyzing memory dump in a safe environment) multiple times throughout the course.
- No history information about RAM in general and what it really is.
- Processes genealogy and windows internals were briefly discussed, but it provides what you need to go through the material, even though I wish it was in more detailed.
- In the process command lines lesson, there is no need to use dlllist in volatility2 with grep to get the command lines, as there are cmdline, cmdscan and consoles that would help in this regard.
- In the Malware Memory Analysis with Volatility module, it is important to note that dumping a registry hive (NTUSER) without its corresponding .log files may result in a dirty hive with uncommitted important changes. In such cases, you may add the transactional logs file with the registry hive in a Registry Explorer or RegRipper to clean and recover the hive to ensure accurate analysis – just mentioning that, as the author forgot to mention it.
- The course is purely focused on memory forensics, and not malware analysis, keep that in mind. I wish it discussed more on malware analysis as memory forensics is one of the primary tools to detect and trace malware.
- Some really good updates to the plugins need to be added, but guess what! They have already made an update to the course since my brief overview about it on LinkedIn and they added ShimCacheMem plugin for Vol3, so I think it is also good to add other new plugins such as windows.psxview, windows.hollowprocesses, etc., but I have been told that they are waiting for some time for more testing purposes with interesting findings!
- As the course is more towards intermediate level, I wish it discussed Warm/Cold boot attacks in practice or generally mentioning them.
- There is a partial feedback system for the exam, as you can know what was wrong, but not the correct answer of it even if you passed.
- Once you purchase the course, you will only have 365 days of access. For me, I do not like this system, I like having lifetime access with updates.
- I would recommend putting CPE hours on the certificate of completion, but I have been told that you can request them to add CPE!
The Course’s Fee
The course’s price is somehow affordable, as it costs 795$ now.
Also, 13Cubed has an amazing rich YouTube channel, check it out here!
For people, who cannot pay this amount, do not worry, we will be making a lot of free good content for you as well 🙂
Final Rating
This Investigating Windows Memory course is truly high-quality and well-structured. Taking all into account all mentioned above, I would rate the course with 9.5/10! ~ I usually do not give such a high rating, but it deserves that 🙂
The course’s title clearly indicates its focus on Windows memory forensics, so it sets accurate expectations by concentrating exclusively on Windows systems. It provides detailed guidance on using tools like Volatility 2, Volatility 3, and MemProcFS, while also briefly introducing WinDbg. Advanced topics, such as Volshell, different types of code injection, and aspects of WinDbg, are touched upon, adding depth to the learning experience.
When considering the complexity and depth of the discussed tools, they can be categorized – as stated by the course author – as follows:
MemProcFS => High level tool | Volatility => Medium level tool | WinDbg => Advanced level tool
Although the course is not primarily aimed at malware analysis, it does cover some aspects of it, though certain areas were not addressed. Additionally, it includes briefly some Windows internals, data structures, and the hierarchy of benign processes, along with their parent-child relationships. While the course is well-structured and highly informative, I believe that there is always room for improvement – such as including more useful plugins and deeper insights into hunting malware activities. Overall, it strikes a balance between foundational concepts and advanced topics, making it valuable for all learners.
I would say that the exam is not hard if you had prior experience in memory forensics and watched all course content while practicing. There are a couple of questions in the exam that were a bit questionable for me, but other than that, all good.
Conclusion
In this blog, I generally talked about a blue team course “Investigating Windows Memory” that I took with 13Cubed, my humble review on the course with its exam, what you would learn during the course, and some pros, cons and potential points to consider.
Cya till the next one ~ Hoxed