Half of the bootcamp done! Time really flies.
Today we took a deep dive into memory forensics, focusing on RAM dumps. RAM gives us a snapshot of what a system is doing right now, which can include:
- Running processes and loaded executables
- Open network connections and ports
- Logged-in users and recent shell commands
- Decrypted content, like passwords or encryption keys
- Injected code or fileless malware
After lunch, we had an assessment covering the forensics concepts we’ve been learning – and we crushed it. Our cohort scored 94% overall, a record! One question about NIST tripped a few of us up… actually It didn’t. Only because Kevin (the teacher) gave us that one as a freebie before the assessment.
Next, we fired up Volatility 3 to analyze a Windows memory dump. Volatility is a powerful framework for memory analysis, offering tons of plugins tailored for digging into all the nooks and crannies of system memory.
Here are just a few of the Windows plugins we used:
windows.cmdline – Shows process command line arguments
windows.pslist / windows.pstree – Lists running processes and parent-child relationships
windows.netscan / windows.netstat – Reveals network activity
windows.drivermodule – Detects hidden drivers (like rootkits)
windows.filescan – Scans for file objects in memory
windows.mftscan – Looks for Alternate Data Streams
windows.getsids – Lists security identifiers (SIDs) associated with processes
windows.handles – Shows open handles and what’s interacting with what
The next lab focused on Linux. It was more of a directory walk-through, showing where to look for valuable artifacts:
/etc/passwd– User account info/var/log/wtmp– Historical login records
This one was calmer, but it built a solid foundation for identifying traces in Unix-based systems.
After class… I finally finished Cybersecurity Path 101!
The last few labs were forensics-related, so they lined up perfectly with everything we covered today.
To wrap it all up, I used:
- FLARE VM – A Windows-based reverse engineering suite packed with tools like:
- Procmon – Real-time process monitoring
- Process Explorer – Visualizes process trees and handles
- PEStudio – Analyzes executable metadata
- FLOSS – Extracts obfuscated strings from malware
Then I switched to REMnux VM, a Linux-based malware analysis distro that’s basically a sandbox for tearing malware apart safely.
Using oledump.py, I analyzed a suspicious .xlsm file linked to Agent Tesla and uncovered a hidden PowerShell payload. I even simulated a fake network to observe the malware behavior in a safe environment. It felt like running my own mini-threat intel lab!
I’m so proud to have finished today! I told myself I was going to finish it by Friday and I did it! Now i can jump straight into the Junior Pentesting path!
