SEC-T - 0x0Anniversary

September 14-15, 2017 – Stockholm, Sweden

SEC-T2ion 2017

This year SEC-T introduces pre-conference trainings!
We will offer two 2-day workshops on the days prior to the conference:

A practical approach to malware analysis and memory forensics
Hashcat for IT-forensics

Hashcat has already been sold-out, but there is still time to grab a seat at the malware analysis workshop.

Order a workshop together with your ticket at:

A practical approach to malware analysis and memory forensics

Malware analysis and memory forensics are powerful analysis and investigative techniques used in reverse engineering, digital forensics and incident response. With adversaries becoming more sophisticated and carrying out advanced malware attacks on critical infrastructures, Data Centers, private and public organizations, detecting, responding and investigating such intrusions are critical to information security professionals. Malwareanalysis and memory Forensics have become a musthave skill for fighting advanced malwares, targeted attacks and security breaches. This training introduces you to the topic of malware analyis, reverse engineering, Windows internals, and techniques to perform malware and Rootkit investigations of real world memory samples using open source advanced memory forensics framework (Volatility). The training covers analysis and investigation\
of various real world malware samples and infected memory images(crimewares, APT malwares, rootkits etc) and contains hands on labs to gain better understanding of the subject.

The training provides practical guidance and attendees would walk away with the following skills:

Day 1:

Introduction to Malware Analysis

Static Analysis

Dynamic Analysis/Behavioural Analysis

Automating Malware Analysis (sandbox)

Code Analysis

Introduction to Memory Forensics

Volatility Overview

Day 2:

Investigating Process

Investigating Process Handles & Registry

Investigating Network Activities

Investigation Process Memory

Investigating User Mode Rootkits

Memory Forensics in Sandbox Technology

Investigating Kernel Mode Rootkits

Memory Forensic Case Studies

Who should take this course?

This course is intended for forensic practitioners, incident responders, cyber security investigators, malware analysts, system administrators, software developers, students and curious security professionals new to this field and anyone interested in learning malware analysis and memory forensics.



Note: VMware player or VirtualBox is not recommended for this training.


About the teacher

Monnappa K A works with Cisco Systems as information security investigator focusing on threat intelligence, investigation of advanced cyber attacks, researching on cyber espionage and APT attacks. He is author of Limon sandbox (for analyzing Linux malwares) and winner of Volatility plugin contest 2016. He is the co-founder of the cyber security research community “Cysinfo” ( His fields of interest include malware analysis, reverse engineering, memory forensics, and threat intelligence. He has presented at security conferences like Black Hat, FIRST, 4SICS-SCADA/ICS summit, DSCI, National Cyber Defence Summit and Cysinfo meetings on various topics which include memory forensics, malware analysis, rootkit analysis, and has conducted trainings at FIRST (Forum of Incident Response and Security teams) conference and 4SICS-SCADA/ICS cyber security summit. He has also authored various articles in Hakin9, eForensics, and Hack[In]sight magazines. You can find some of his contributions to the community in his YouTube channel (

Hashcat for IT-forensics

Day 1: (Basic)

– Introduction how hashcracking work in general
– Different Attack modes
– Example: Basic wordlist cracking
– Example: Mask attack cracking
– Example: Mask attack cracking with known fixed password substrings
– Example: Mask attack cracking against a known password policy
– Example: Extracting a hash from a TrueCrypt Volume and make it portable
– Example: Cracking a Truecrypt Volume
– Example: Extracting a hash from a LUKS Volume and make it portable
– Example: Cracking a LUKS Volume
– How to use an external password generator to feed hashcat instead of internal attack modes
– Ideal Hardware for cracking
Day 2: (Advanced)

– Distributing work across multiple machines
– How to crack non-english passwords with foreign language special characters
– Example: Modifying a hashcat kernel to support a very long salt which is otherwise not supported by hashcat
– Example: Modifying a hashcat kernel to crack truncated hashes which is otherwise not supported by hashcat
– Example: Cracking a cipher with Known-Plaintext attack with guaranteed success rates
– Handle special requests from the Students