Training

Our training courses are customable based on the interest of your organization, if you are security-minded, troubleshooting-focused or all of the above.

Comae specializes in delivering in-depth training on a variety of topics related to memory analysis included but not limited to operating system internals, memory management, trouble-shooting and debugging. This course cover the state of the art tools available, some are open-source like crash but when it comes to Windows nothing beats WinDbg for professionals.

The reason macOS is not covered in this course is because KEXTs have been deprecated by Apple.

Memory Analysis

Course Description

This course aims to provide attendees general knowledge of Windows internals, Linux internals and the ability to proceed to memory acquisition and analysis with Comae products and publicly available softwares such as WinDbg or crash for a deep dive. Our products include memory acquisition & analysis for Windows as well as Linux.

Course Outline

  • An explaination of different memory formats

    • Raw dumps
    • Microsoft Formats
      • Crash dumps (*.dmp)
        • Full memory dumps, Kernel dumps, Process dumps
      • Hibernation files
    • Core dumps (ELF)
  • Available tools

    • Windows Preview
    • crash
    • Comae Startdust
  • I/O Memory Management Unit

    • Page Table Translation
    • Segmentation
    • Page Table Entry (PTE)
    • Enhanced Page Tables (EPT)
  • Memory Management

    • Paging, Hibernation, Virtual Address Descriptors (VADs)
  • Process Management

    • Asynchronous Procedure Call (APC)
    • Process Isolation
    • Windows Subsystem for Linux (WSL)
  • Secure Virtual Memory (VSM)

    • Virtualization-Based Security (VBS)
    • Trustlets (LSAISO, BIOSO, vTPM, HVCI)
    • Windows Defender Application Guard
      • Edge, Office 365
  • Hardware Isolation

    • Software Guard Extensions (SGX)
    • Kernel DMA protection
      • The death of hardware based acquisition.
  • Virtual Trust Level (VTL)

    • Credential Guard
  • Secure Kernel

    • Isolation User Mode (IUM)
      • Secure Mode Application RunTime (SMART)
  • Mini-filters

Instructor

Matt Suiche The instructor is contributions to the information security community include, but not limited to:

Matt Suiche is also known for being one of the co-founder of application virtualization start-up, CloudVolumes which was acquired by VMware in 2014, the organizer and host of OPCDE, to have explained how DOUBLEPULSAR was initially instrumented to infect SWIFT Service Bureau, to have helped develop a utility (wanakiwi) to decrypt WannaCry ransomware encrypted files.

Location

We does not run these courses at fixed locations. Instead, we come to you, (almost) anywhere in the world, and train your individual team, group, or organization in a private setting of your choosing. And if we can’t come to you because of the pandemic we can also deliver the course online.

Minimum 6 students.