Memory forensics for Beginners
RCCE students will learn volatile memory acquisition and analysis including RAM capture techniques, process enumeration, network connection analysis, code injection detection, rootkit discovery, and malware artifact extraction from memory. RCCE students will learn to use memory forensics tools to acquire memory images from live systems, analyze process trees for suspicious parent-child relationships, detect hidden and injected processes, extract encryption keys and credentials from memory, identify command and control communications, reconstruct attacker activity from memory artifacts, and integrate memory forensics findings into broader incident investigation timelines. Designed for students with no prior experience in this area, this course builds knowledge from the ground up with clear explanations, guided demonstrations, and progressive skill-building. Starting from foundational concepts, RCCE students will learn core concepts through practical examples that connect theory to real-world security operations. By completion, students will have the foundational knowledge and hands-on confidence needed to contribute in professional cybersecurity roles.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Memory forensics for Beginners
- Explain Course Overview fundamentals
- Execute hands-on tasks for what you will learn
- Execute hands-on tasks for course structure — covering 4 hours of guided instruction and labs.
- Execute hands-on tasks for what is memory forensics?
- Execute hands-on tasks for why it matters — covering Analysis of volatile computer memory (RAM), Malware often lives only in memory.
- Execute hands-on tasks for non-volatile data (persists) — covering Running processes and threads, Files on hard disk or SSD.
- Execute hands-on tasks for network state / routing tables
- Design a scalable privilege management architecture with policy and enforcement
- Execute hands-on tasks for physical memory
- Execute hands-on tasks for virtual memory — covering Actual RAM chips on motherboard, Abstraction layer over physical memory.
- Execute hands-on tasks for forensic significance — covering Memory divided into 4KB pages (typical), Paged-out memory may be on disk (pagefile).
- Execute hands-on tasks for multi-level page tables in modern os — covering Paged-out memory may be on disk (pagefile).
| Module 01 | Course Overview |
| Module 02 | What You Will Learn |
| Module 03 | Course Structure |
| Module 04 | What Is Memory Forensics? |
| Module 05 | Why It Matters |
| Module 06 | Non-Volatile Data (Persists) |
| Module 07 | Network State / Routing Tables |
| Module 08 | Memory Architecture Fundamentals |
| Module 09 | Physical Memory |
| Module 10 | Virtual Memory |
| Module 11 | Forensic Significance |
| Module 12 | Multi-level page tables in modern OS |
| Module 13 | Kernel Space |
| Module 14 | User Space |
All hands-on labs run on Rocheston Rose X OS. Students practice memory forensics for beginners by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Explain Course Overview fundamentals
- Lab 2: Execute hands-on tasks for what you will learn
- Lab 3: Execute hands-on tasks for course structure
- Lab 4: Execute hands-on tasks for what is memory forensics?
- Lab 5: Execute hands-on tasks for why it matters
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Memory forensics for Beginners, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI