This course is designed for the law enforcement professional who needs to leverage volatile memory to find evidence that does not exist on disk. The class will progress just like an investigation. On Day 1, students will build a device that will be used to access a locked Windows system. Students will learn additional skills to bypass login screens on Windows and Linux systems using older and newer open-source techniques. The course will introduce how the Kernel and address translation works. Additional sources of memory such as page, hibernation, and dump files are discussed. Then, the students will spend Day 2 learning different techniques to capture RAM on Windows, Mac, and Linux systems. The students will learn about advanced topics such as RAM on virtual machines and capturing RAM over a network. On Day 3, the students will compare commercial and open-source tools to analyze memory. Upon completion of the course, the students will be comfortable using command line tools for RAM analysis, even if this is their first time in a terminal. Day 4 will focus on password cracking. Students will learn techniques to use open-source tools to find the passwords for encrypted containers. On Day 5, the students will learn additional techniques to break into encrypted partitions.
WHEN: January 12 – 16, 2026. This class will finish at midday on Friday.
COST: $2,695.00 US Dollars
EQUIPMENT: Classroom laptops and additional equipment will be provided to the students to take home and keep.
REGISTRATION: Click HERE for information about registration and hotel accommodations
