Memory forensics Incident Response
RCCE students will learn volatile memory acquisition and analysis including RAM capture techniques, process enumeration, network connection analysis, code injection detection, rootkit discovery, and malware artifact extraction from memory. RCCE students will learn to use memory forensics tools to acquire memory images from live systems, analyze process trees for suspicious parent-child relationships, detect hidden and injected processes, extract encryption keys and credentials from memory, identify command and control communications, reconstruct attacker activity from memory artifacts, and integrate memory forensics findings into broader incident investigation timelines. This incident response course prepares students to act decisively during security incidents with structured workflows and clear decision frameworks. Building on core knowledge, RCCE students will learn containment, evidence collection, eradication, and recovery procedures specific to this domain. Students practice incident scenarios that build the composure, coordination, and documentation skills essential for effective incident handling.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Memory forensics Incident Response
- Execute hands-on tasks for memory forensics
- Build detections and response workflows for privilege escalation
- Execute hands-on tasks for volatile memory acquisition, analysis & incident handling
- Execute hands-on tasks for intermediate level
- Execute hands-on tasks for module objectives
- Execute hands-on tasks for volatile memory acquisition
- Execute hands-on tasks for process analysis
- Execute hands-on tasks for why memory forensics matters
- Execute hands-on tasks for non-volatile (disk) — covering Running processes and threads, File system artifacts.
- Execute hands-on tasks for 4 running processes
- Execute hands-on tasks for 5 disk / temp files
| Module 01 | Memory Forensics |
| Module 02 | Incident Response |
| Module 03 | Volatile Memory Acquisition, Analysis & Incident Handling |
| Module 04 | Intermediate Level |
| Module 05 | Module Objectives |
| Module 06 | Volatile Memory Acquisition |
| Module 07 | Process Analysis |
| Module 08 | Injection Detection |
| Module 09 | Why Memory Forensics Matters |
| Module 10 | Non-Volatile (Disk) |
| Module 11 | 4 Running Processes |
| Module 12 | 5 Disk / Temp Files |
| Module 13 | Memory Architecture Fundamentals |
| Module 14 | Physical Memory |
All hands-on labs run on Rocheston Rose X OS. Students practice memory forensics incident response by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for memory forensics
- Lab 2: Build detections and response workflows for privilege escalation
- Lab 3: Execute hands-on tasks for volatile memory acquisition, analysis & incident handling
- Lab 4: Execute hands-on tasks for intermediate level
- Lab 5: Execute hands-on tasks for module objectives
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Memory forensics Incident Response, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI