DFRWS EU 2025 Workshop – Practical Malware Analysis and Memory Forensics for Incident Response (In-Person Only)

Date and Time:
Tuesday, April 1, 09:00-10:45, continuing 11:15-13:00

Learning Objectives:

  • Understanding memory acquisition techniques: Learn the principles of forensically acquiring system memory, including best practices for ensuring integrity and security during acquisition.
  • Malware analysis methodologies: Gain insight into static and dynamic malware analysis using industry-standard tools and techniques. Understand malware behaviors, persistence mechanisms, and how malware interacts with system resources such as files, processes, and network connections.
  • Using Volatility for analysis: Learn how to use the Volatility framework to extract artifacts from memory dumps, detect malware, and identify indicators of compromise (e.g., suspicious processes, DLLs, network connections).
  • Integration into incident response: Understand how memory forensics can play a crucial role in the overall incident response process. Learn how to integrate forensic results into incident response workflows to improve threat detection, containment, and eradication.
  • Practice: Apply the techniques in a lab environment with real-world malware samples to reinforce learning and provide hands-on experience.

Experience Level:

Beginner

Description:

This workshop will cover techniques for extracting and analysing malware from memory dumps, focusing on methods used during incident response. Participants will gain hands-on experience with tools such as Volatility, learn about static and dynamic malware analysis, and understand how to apply these methods to identify indicators of compromise and analyse malware behaviour. The workshop will provide a comprehensive overview of acquiring memory images, performing analysis using open source tools, and integrating malware analysis into broader incident response processes.

Preparation Details:

  • Volatility Framework (v2.6 and v3)
  • Sample memory dumps

All tools and materials will be provided via download links and should be installed at least 3 days prior to the conference to ensure availability. Additionally, a virtual machine for Intel machines will be provided containing all necessary and related software and supporting files to simplify setup and ensure that participants have a consistent environment.

Workshop organiser:

Ricardo J. Rodríguez
Ricardo J. Rodríguez