Sign In
Specialist Course

Purple Team Memory Forensics for DFIR Practitioners, Detection Engineers, and Threat Hunters

Aligned to NIST SP 800-86MITRE ATT&CKVolatility 3Mandiant tradecraft

Memory Forensics

Run the attack, capture memory, analyze what you left behind.

Learn memory forensics by executing real attacks and investigating your own artifacts. Every module, you run a specific attacker technique from Kali against a Windows or Linux target, capture memory before and after, and analyze what the attack left behind using Volatility 3. Detect process injection, extract credentials from LSASS, identify fileless malware, find persistence mechanisms, and reconstruct attack timelines from volatile evidence.

Start Free — No Account Needed See Pricing
What you'll deploy
7 real attack techniques captured and analyzed in memory
11 learner-captured memory images you analyze end-to-end
Volatility 3 analysis pipeline across Windows and Linux
Process injection, credential extraction, and rootkit detection workflows
Memory-based investigation methodology for live incident response
Memory forensic report templates with evidence documentation
ATTACK, CAPTURE, ANALYSE — THE LOOP PHASE 1 Baseline — capture clean Windows or Linux target VM Tool: WinPmem, LiME, hypervisor .vmem — learner acquires PHASE 2 Attack — execute scripted technique from Kali attacker VM Tools: Metasploit · Mimikatz · PowerShell · PoC driver · LKM rootkit PHASE 3 Post-attack capture — memory of the compromised target Learner owns clean baseline + compromised pair PHASE 4 Analyse — VAD, EPROCESS, task_struct, kernel objects Tools: Volatility 3, MemProcFS, WinDbg, YARA, bulk_extractor PHASE 5 Variant — execute a variation, apply method independently Self-verified against expected findings in the lab pack 10 modules 7 attacks 11 captures 36-40 hours
View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Detect process injection, fileless malware, and credential theft in memory dumps
Execute attacks and analyze the memory artifacts they produce
Extract IOCs from volatile evidence that never touches disk
Analyze both Windows and Linux memory captures with Volatility 3
Reconstruct attack timelines from volatile memory evidence
Specialist tier | 10 modules across 4 phases | 7 attack techniques | 11 memory captures | 40 CPE credits | 2 free modules — no account needed | Updated May 2026
Course Agenda View all 11 modules

Who this course is for

“I collect memory dumps but I don't know how to analyze them.” You run WinPmem or take a .vmem snapshot, hand it to a senior analyst, and wait. This course puts you in the analyst chair: Volatility 3 plugins, process tree analysis, VAD inspection, and the methodology to find what the attacker left in memory.

“The attacker cleaned up disk artifacts but I have a memory image.” Fileless malware, injected shellcode, credentials the attacker used but never saved — the evidence that only exists in volatile memory. You learn to extract what disk forensics can't see.

“I've analyzed sample images from textbooks but never my own.” Most memory forensics training gives you someone else's image. This course has you run the attack yourself, capture memory before and after, and analyze what your attack left behind. You know what to look for because you put it there.

“I can analyze Windows memory but not Linux.” Modules 7–8 cover Linux memory forensics: LKM rootkits, kernel object manipulation, task_struct analysis, /proc-based detection. Same methodology, different kernel structures.

“I need to detect process injection but I don't understand VAD at the structural level.” VAD tree analysis, PAGE_EXECUTE_READWRITE regions, hollowed process indicators, reflective DLL loading signatures — you learn what the memory structures look like before and after injection, not just which Volatility plugin to run.

“I want to build kernel-level tools, not just use them.” You compile the PoC kernel driver and LKM rootkit from source. You understand what the code does to the kernel before you analyze its footprint in memory. The build-then-detect approach is the course's core pedagogy.

Whatever your background — if the subject interests you and you're willing to put in the work, this course is for you.

Before and after this course

Before

You capture memory during an incident and hand the dump to someone else because you don't know what to do with it.

You run vol3 windows.pslist and see a process list. You don't know how to spot injected code, hollowed processes, or orphaned threads from that output.

The attacker used fileless techniques and your disk forensics found nothing. The memory dump sits unanalyzed because nobody on the team has the skills.

Your IR playbook says “acquire memory” but doesn't say what to do next. The memory section of your report is always blank.

After

You are the analyst who reads the dump. You run Volatility 3, identify anomalous processes, extract injected code, and document findings that prove what happened.

You spot the injected Meterpreter session from the VAD tree: PAGE_EXECUTE_READWRITE in svchost.exe, MZ header at the region base, parent PID mismatch. Three indicators from one plugin.

Fileless attack? Memory is your primary evidence source. You extract the shellcode, recover the C2 address, identify the credential access technique, and produce the timeline from volatile evidence alone.

Your IR report's memory analysis section is the strongest part: injected code extracted, credentials recovered, network connections mapped, persistence mechanisms identified — evidence the disk never had.

How the course works

The attack-capture-analyse loop. Every module follows the same cycle — you run the attack, capture the evidence, and find what you left behind:

Attack
Execute the Technique

Meterpreter injection, Mimikatz credential dumping, kernel driver loading, LKM rootkit installation. From your Kali VM against your target. You know what you planted.

Capture
Acquire the Memory

WinPmem, LiME, or hypervisor snapshot. Clean baseline before, compromised image after. You own both and compare them side by side.

Analyse
Find What You Left

Volatility 3 plugins, VAD analysis, EPROCESS structures, kernel objects. You find the evidence of your own attack — because you know what should be there.

What the content looks like

This is real Volatility 3 output from Module 3. You've just injected a Meterpreter payload into svchost.exe — now you're analyzing the VAD tree to find the evidence of what you did.

CLI Output — From Module 3: Process Injection Analysis
$ vol3 -f post_injection.raw windows.vadinfo --pid 1284

PID    Process     Start              End                Tag  Protection
1284   svchost.exe 0x0000024B10000000 0x0000024B1003FFFF VadS PAGE_EXECUTE_READWRITE
  Flags: CommitCharge: 64, MemCommit: 1, PrivateMemory: 1
  First bytes: 4d 5a 90 00 03 00 00 00  <-- MZ header = injected PE
  File: \Device\HarddiskVolume3\Windows\System32\svchost.exe  <-- host process

Indicators:
  1. PAGE_EXECUTE_READWRITE on a region svchost.exe never allocates
  2. MZ header at region base = reflectively loaded PE
  3. PrivateMemory flag = not mapped from a file on disk

Three indicators from one Volatility plugin. The module teaches you to read each one: what PAGE_EXECUTE_READWRITE means at the kernel level, why an MZ header in a VAD region proves injection rather than legitimate loading, and how PrivateMemory confirms the code was never on disk. You know because you injected it yourself five minutes ago.

Lab Pack — Attack, Capture, Analyse

Included: 3 VM setup scripts, 7 attack playbooks, PoC kernel driver and LKM rootkit source code with build instructions, 21 exercises (Standard/Hard/Expert), 7 verification scripts, 10 HTML walkthroughs, 4 investigation report templates.

Not included by design: Memory images (you capture your own), pre-compiled binaries (you build from source), analysis tools (install per Lab Setup Guide). Capturing memory and building PoC tools from source are skills, not overhead.

Memory Forensics Lab Pack v2.0
7 attacks · 10 walkthroughs · 21 exercises · PoC source code · report templates
Download Lab Pack (.zip)

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may not redistribute course content or share account credentials.

Attack tools: Metasploit, Mimikatz, and PoC rootkits are for educational use in isolated lab environments only. Running them against unauthorized systems is illegal.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 3.0  |  Last updated: April 2026

v3.0 (April 2026): Complete course. 10 modules across 4 phases. Attack-capture-analyse loop. 302,000+ words. Lab pack with PoC source code, exercises, verification scripts, walkthroughs.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.