13Cubed Investigating Windows Memory Course/Exam Review

Introduction

This review aims to provide future students an honest review of the Investigating Windows Memory course and exam. This will be an unbiased review, mixed with some advice to assist you in your studies. For context, I have completed the entire course, scored the gold badge (i.e., passed on first attempt), passed the Investigating Windows Endpoint exam, hold the GIAC Certified Forensic Examiner certification, and am currently enrolled in the Digital Forensic Master’s program at UCF. This additional context was stated to brief the audience on the competence that I enrolled with, as I believe it helped with certain portions of the course.

Lastly, you can find the FAQs and Syllabus for the course here. Let’s begin the review.

Content

The course is packed with hours of content. Richard Davis, the author, starts by diving into the foundation of memory forensics. Some memory structure terms covered in detail are Kernel Debugger Data Block (KDBG), _EPROCESS blocks, the Process Environment Block (PEB), Virtual Address Descriptor (VAD) trees, and core Windows system processes to learn what “normal” looks like so that you can quickly find anomalies. Similar to SANS, the course includes high-quality posters, which are often referenced, to help visualize “normal” memory structures and processes. After that, you are presented with disparate tools and a brief setup guide to prepare your host for memory examination. Let’s cover the three main tools covered in the course:

Volatility
MemProcFS
WinDbg

Starting with Volatility, a CLI-based tool, this takes up most of the course. Richard does a great job covering important plugins, both the deprecated and current versions, while explaining how it relates to the memory structure. For example, the plugin Psscans scans for hidden processes and processes that have been removed from doubly linked lists by scanning pool tags. Doubly linked lists was a term covered in the foundation lesson. This way of teaching helps students understand WHY it functions that way; the plugin can help find unlinked processes.

The next major tool is MemProcFS, which is insanely powerful. Per its GitHub, MemProcFS is an easy and convenient way of viewing physical memory as files in a virtual file system. Easy, trivial point-and-click memory analysis without the need for complicated command-line arguments! It makes sense why it is introduced later in the course, as it makes the former tool slow in comparison. I will speak more about this later. The final tool is WinDbg, a program that allows you to inspect various parts of a program’s execution, inspect memory, change bytes, set breakpoints (pausing execution), and more according to SANS. Richard does a great job showing how low you can get with memory analysis in that section.

It’s very important to take notes on everything said in the course, seeing that it is not only on-demand (a year of access) but packed with tons of knowledge which you will likely forget over time. As a huge plate of food, I slowly consumed the course over time. Here is an example of my notes, which helped me tremendously during the examination, both the theoretical and technical portions: IWM Course Notes

Setup

I would like to cover this section before I close with the exam. When I started the course, I had an M1 Mac computer. This could be used for memory forensics if you utilize the Parallels hypervisor and the Windows VM on ARM. I decided not to pursue this option given the space requirements and other reasons. As Richard told me in a conversation via the course web chat, “there aren’t many alternatives to just using a bare metal x86/x64 Windows machine or a VM.” I decided to adopt the method he used in the course: a headless (no monitor) Windows mini-PC strictly for memory forensics, which I can RDP into from the Mac. This allowed me to separate my systems for their respective use cases, especially during the malware memory investigations. I decided to invest in the following KAMRUI Mini PC Computer, Intel Processor N97 (up to 3.6 GHz), 16GB DDR4 RAM 256GB M.2 SSD. At the time of this writing, the PC is $129.99. This is shy of a Parallels subscription which can range around $119.99. Seeing that the installed OS is Windows, I can run MemProcFS on the host with Volatility on WSL2, a feature in Windows that allows users to run a Linux environment directly on their Windows machine without needing a separate virtual machine or dual-booting. IWM Headless PC

Exam

The exam was challenging, taking me 10 hours in total. To circle back to the introduction again, my previous experience gave me much clarity on forensics artifacts that I was able to pull from memory. However, memory forensics as a practice was new to me. Back to the exam, a minimum of 70 points is required to pass:

20 multiple choice questions based on the course content (1 point per question);
40 fill-in-the-blank/multiple choice questions based on the memory image (2 points per question).

The exam is not timed and is open-book, hence the importance of taking notes. There were some times where I had to take breaks, revise my methods, then try again. Circling back to the tools, I ended up using all three tools, mainly Volatility as I was accustomed to it. I suggest you utilize whatever works for you. I took notes of my findings and utilized them for subsequent (and past) questions. You want to make sure you are technically ready for the exam. Richard provides many practice memory images in the course and he does have seldom memory challenges on his YouTube channel and the BlueYard platform.

It’s heavily advised to take the Investigating Windows Endpoint (or a similar course) before diving into this course and exam. You are technically examining the volatile storage (i.e., memory) of a Windows Endpoint. If you have an understanding of the persistent storage (e.g., SSD), it will make the course and exam easier.

Conclusion

The course is amazing. While the Volatility plugin section was rather long, I am glad Richard introduced other tools within the course. The Linux CLI commands for sorting through information was a game-changer, which was one of the main reasons I utilized Volatility primarily over MemProcFS in the exam. The course is constantly updated with new lessons when the time is needed. Also, the student support is superb, uber-level. Richard and the team were able to assist me with all my inquiries within 24 hours, even over the weekend. I hope this review provides some clarity to those on the edge of taking the course. At work, I am now looking at processes with a second eye, making sure I can spot anomalies from the “normal” chain of processes.