Memory forensics Monitoring and Detection: Fast Track
RCCE students will learn volatile memory acquisition and analysis including RAM capture techniques, process enumeration, network connection analysis, code injection detection, rootkit discovery, and malware artifact extraction from memory. RCCE students will learn to use memory forensics tools to acquire memory images from live systems, analyze process trees for suspicious parent-child relationships, detect hidden and injected processes, extract encryption keys and credentials from memory, identify command and control communications, reconstruct attacker activity from memory artifacts, and integrate memory forensics findings into broader incident investigation timelines. This monitoring course teaches comprehensive detection and observability strategies for proactive security operations. Building on core knowledge, RCCE students will learn to instrument systems for security telemetry, build detection pipelines, configure alerting, and maintain monitoring coverage as environments evolve. Students gain the visibility and detection capabilities needed to catch threats early.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Memory forensics Monitoring and Detection: Fast Track
- Execute hands-on tasks for memory forensics
- Monitor and audit privilege usage; detect escalation attempts
- Explain Course Overview fundamentals
- Build detections and response workflows for privilege escalation
- Execute hands-on tasks for learning objectives
- Execute hands-on tasks for volatile memory fundamentals
- Execute hands-on tasks for what is volatile memory? — covering RAM contents lost on power-off.
- Execute hands-on tasks for why memory forensics? — covering Malware may only exist in memory.
- Design a scalable privilege management architecture with policy and enforcement
- Execute hands-on tasks for virtual address space
- Execute hands-on tasks for kernel pools
| Module 01 | Memory Forensics |
| Module 02 | Monitoring and Detection |
| Module 03 | Course Overview |
| Module 04 | Detection & Monitoring |
| Module 05 | Incident Response |
| Module 06 | Learning Objectives |
| Module 07 | Volatile Memory Fundamentals |
| Module 08 | What Is Volatile Memory? |
| Module 09 | Why Memory Forensics? |
| Module 10 | Memory Architecture: Windows Internals |
| Module 11 | Virtual Address Space |
| Module 12 | Kernel Pools |
| Module 13 | Memory Architecture: Linux Kernel |
| Module 14 | Process Address Space |
All hands-on labs run on Rocheston Rose X OS. Students practice memory forensics monitoring and detection: fast track by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for memory forensics
- Lab 2: Monitor and audit privilege usage; detect escalation attempts
- Lab 3: Explain Course Overview fundamentals
- Lab 4: Monitor and audit privilege usage; detect escalation attempts
- Lab 5: Build detections and response workflows for privilege escalation
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Memory forensics Monitoring and Detection: Fast Track, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI