My Review on How to Collect and Analyze Random Access Memory Course from DFIR Science
Introduction
As I usually take many cybersecurity courses and certifications, I decided to take “How to Collect and Analyze Random Access Memory Course” course from DFIR Science. DFIR Science is run by Dr. Joshua I. James – such a knowledgeable trustworthy guy, who I want to learn from him.
Who is Dr. Joshua James?
Dr. Joshua is an amazing digital forensic scientist, and and he is now a consultant for the United Nations Office on Drugs and Crime, INTERPOL, and the NW3C.
So, What Will I Learn by Attending the Course?
I will just briefly outline the topics that the course is supposed to cover and what you will learn during the course:
- RAM Acquisition in Windows and Linux – (Linux is not discussed in the course at the time of posting this)
- Generic analysis that works with any dataset
- RAM parsing basics with Volatility 3
- Understand how to use evidence from RAM
Overview about the Course
The course is about 3 hours of video content with a quiz for each section.
It starts with what a memory is and what you can find inside it. Then, it starts with some methods to acquire the memory from (specifically from Windows OS). After that, the author talks about some general methods to perform light analysis on a memory dump (but as it is general, so you can apply it on different files too).
Lastly, the author talks about some analysis techniques to perform specifically on a memory dump.
The course ends with an exam that you need to pass to get the certification. You need to do analysis on a memory dump file and answer 10 related questions (passing score is 80%)
My Humble Opinion on the Course
The course is one of the best courses if you are an absolute beginner in digital forensics and you have no prior knowledge in the digital forensics nor in memory forensics. I know that nothing is perfect, but here is my humble overview about the course:
Pros:
- It has practical aspects to do, so you need to follow along and practice with him
- The course opens your mind into various memory acquisition methods (but only focusing on one)
- The course teaches you how to make and organize your toolkit on a USB drive for future cases
- This course is for beginners, so you will learn a lot if you are so.
- I felt so comfortable when listening from such a knowledgeable person, so even if you know the information, you may be able to find some gaps in your understanding of some memory forensic details.
- The course teaches you some methods that you can apply generally in digital forensics, and not only in memory forensics.
- The course teaches some main Windows-based tools to acquire memory from
- The course allows you to enter a community to discuss and ask questions (but not much active there)
- The course touches some main plugins used in Volatility3 to do analysis and a brief introduction on using MemProcFS tool
- The course has a final practical exam to pass, where you need to use your analysis skills on a memory dump
Cons:
- I know that the work (course) is still in progress, but the course was made since 2022, and the course did not cover any analysis on Linux-based memory dumps as mentioned in the course learning topics till now – only Windows-related activities were discussed.
- The course did not cover Volatility2 at all, which is understandable, but still, in my humble opinion, there are many good use cases for it
- The course did not cover many main Volatiltiy3 plugins such as pstree, malfind, etc., and even did not talk about how to find malicious processes or things like that.
- The course did not discuss anything regarding processes genealogy or things like that.
- No system internal knowledge was discussed or any OS-related structures (well, it is a beginner course, so many things I should not expect there)
- The course did not discuss anything related to finding malware or things related to it – no process injections, nothing like that disused.
The Course’s Fee
The course’s price is affordable, as it costs 50$
For people, who cannot pay this amount, here are some useful resources from DFIR Science to learn from it for FREE.
- Amazing Free Introduction to Digital Forensics Course Playlist on YouTube
- His YouTube Channel – he has amazing playlists to watch!
Final Rating
I usually rate the courses I took, but I will refrain from doing so for this one as I believe I may not be fair in my judgment, as the course is for absolute beginners in the field.
I would only rate it 8/10 if you are new in the digital forensics or memory forensics fields. Other than that, if you are not a beginner, I would think again about taking it or not.
Conclusion
I talked about a memory forensic course I took previously with Dr. Joshua, my humble review on it, what you will learn during the course, some pros and cons, and some free resources, put by the same author, that you can learn form as listed above!
Cya till the next one ~ Hoxed