RAM: Capture and Analysis

The course will focus on the collection and analysis of memory-resident artifacts as a means of speeding up the forensic workflow. Use artifacts gleaned from system memory to help guide the scope of your forensic investigation and focus on those artifacts relevant to your case. Students will use open source and commercial forensic tools to collect and analyze memory images. The course will focus on memory (RAM) analysis of Windows host systems.  Students will learn how to use memory forensics as a process for speeding up and implementing their forensic workflow. There will be a hands on labs exercises that will allow students the opportunities to use the skills they learn in class to investigate the user as well as hunt malware on the system.

Students will use both command line and GUI-based tools to collect and analyze system RAM, pagefile and hibernation files. Students will use various tools to convert compressed hibernation files to .bin files as a means to ingest the files into memory forensic tools for analysis. You will learn to parse stream-based data for strings in order to build wordlists that can be used to brute-force user passwords or incorporate the wordlists into the forensic software of your choice for conducting an analysis on the file system of the suspect’s hard drive. Students’ will get hands on experience with writing YARA rules and a look at what it takes to write their own plugins and modules.  Use command line analysis tools like Volatility and Rekall to analyze and dump Registry files, shimcache, password hashes, user SIDS, the USNJournal and prefetch files, Shellbags and the Master Boot Record from system memory. The course will demonstrate how to investigate active network connections in memory that may involve FTP and P2P connections relevant to investigations. Use memory forensic analysis to possibly gain access to encrypted TrueCrypt/VeraCrypt volumes and generate timelines from memory analysis. Students will be introduced to malware analysis via memory forensics, where they will have opportunities to statically and dynamically analyze malware.

PREREQUISITE: A basic understanding of Windows, Mac and Linux Operating Systems would be helpful, but is not required. 


The 2019 Orlando Courses are going on now.

Check back soon for more information about our 2020 IACIS Conference: April 27-May 8, 2020.


Existing IACIS members simply log in with your credentials and go to the products page to purchase and register for the course.

For non-IACIS members, the membership fee is waived with the purchase of the training course; however, to register for the course you must complete a membership application at the time of purchase.

Apply for membership and purchase the course on the PRODUCTS PAGE.

COST: $1,495 US Dollars

  • Cancellation of this class may occur if there are insufficient students registered. In the event of a cancellation, personnel will typically be notified by email within 48 hours of the registration closure date. IACIS is not responsible for any individual expenses incurred as a result of a cancellation. The limit of IACIS financial liability is a full refund of the course fee.

****Payment MUST BE RECEIVED at least 45 days prior to the first day of class. Any payment arrangements other than payment through the website or payment via invoice must be approved by the IACIS Treasurer prior to admittance into the course. Please contact the treasurer for questions and approval (treasurer@iacis.com).  Cancellations within 45 days from the start of class to 30 days from the start of class will be subject to a $150 cancellation fee. There will be no refunds within 30 days from the start of class.****

* On-Site Check-in Times (student pickup of equipment, ID card, IACIS info) are:

             Sunday, May 5, 2019 : 1800 – 2100

             Monday, May 6, 2019: 0700 – 0800 

* Please make arrangements to arrive in time to check-in so that you may be in class promptly the first day.


Please read the following notes regarding this class:

  1. Classes begin at 8:00 AM ET and conclude at 5:00 PM ET, each day, with a one hour lunch break. Classes will end at 4:00 PM ET on the last day of class. Please do not arrange for departing flights prior to 7:00 PM ET to allow time for travel to the airport and any security clearances.
  2. The dress code for the conference is business casual (collared shirts and slacks).The wearing of shorts, flip flops, tank tops, etc. is not allowed in the classroom. Personal computers are not permitted in the classroom. Students are required to attend all classes to successfully complete the program. Students who fail to meet the attendance requirements will not be issued a certificate at the conclusion of the program.


The 2019 course will be taught at the Caribe Royale Hotel, 8101 World Center Drive, Orlando, Florida 32821 (USA).  This hotel has much more conference space than our previous hotel. Additionally, it’s closer to the Orlando International Airport, has a much larger pool, spacious workout facility and is very close to Disney World and Universal Studios.


You will find the information for your online reservation link below. If you have questions or need help with the link, please do not hesitate to ask. We appreciate your business and look forward to a successful event.

Rates are valid for the following dates: 4/19/19 thru 5/16/19

Caribe Royale Hotel is offering a special group rate of $121/night(US Government Rate)

Last day to book at the special group rate: 4/19/19