Sign In
Specialist Course

Purple Team Memory Forensics for DFIR Practitioners, Detection Engineers, and Threat Hunters

Aligned to NIST SP 800-86MITRE ATT&CKVolatility 3Mandiant tradecraft

Applied Memory Forensics

Run the attack, capture memory, analyze what you left behind.

Learn memory forensics by executing real attacks and investigating your own artifacts. Every module, you run a specific attacker technique from Kali against a Windows or Linux target, capture memory before and after, and analyze what the attack left behind using Volatility 3. Detect process injection, extract credentials from LSASS, identify fileless malware, find persistence mechanisms, and reconstruct attack timelines from volatile evidence.

Start Free — No Account Needed View Pricing
Content last updated: April 2026
ATTACK, CAPTURE, ANALYSE — THE LOOP PHASE 1 Baseline — capture clean Windows or Linux target VM Tool: WinPmem, LiME, hypervisor .vmem — learner acquires PHASE 2 Attack — execute scripted technique from Kali attacker VM Tools: Metasploit · Mimikatz · PowerShell · PoC driver · LKM rootkit PHASE 3 Post-attack capture — memory of the compromised target Learner owns clean baseline + compromised pair PHASE 4 Analyse — VAD, EPROCESS, task_struct, kernel objects Tools: Volatility 3, MemProcFS, WinDbg, YARA, bulk_extractor PHASE 5 Variant — execute a variation, apply method independently Self-verified against expected findings in the lab pack 10 modules 7 attacks 11 captures 90+ hours
View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Detect process injection, fileless malware, and credential theft in memory dumps
Execute attacks and analyze the memory artifacts they produce
Extract IOCs from volatile evidence that never touches disk
Analyze both Windows and Linux memory captures with Volatility 3
Reconstruct attack timelines from volatile memory evidence

The attack-capture-analyse method

Every paid module runs the same loop. Capture the clean baseline. Execute the attack from Kali. Capture the compromised target. Analyse what changed. Execute a variant and analyse it on your own. You don't read about reflective DLL injection — you run it, capture the memory, and see the injected region in the VAD tree for the process you just migrated into. Three learning loops deep: you did the attack, you captured the evidence, you analysed what your attack left behind.

Who this course is for

DFIR practitioners who want to understand attacker techniques from the perspective of the evidence they produce. If you've investigated incidents and hit cases where disk analysis alone wasn't enough, this is how you build the memory-side expertise.

Detection engineers building detections for memory-resident threats. The course teaches exactly what each attack looks like in memory — which is what your detections need to catch.

SOC analysts moving into advanced investigation who want hands-on exposure to attacker techniques without committing to a full offensive security course.

Threat hunters who need to recognise attacker memory artifacts in the wild and want the underlying structure knowledge to hunt proactively.

Red teamers cross-training into blue. The course's inverted structure makes the transition explicit — you already know the offensive side; this course shows what your tradecraft looks like from the defender's seat.

The toolkit — free tools, real attacks, memory you captured yourself

Attack toolkit (Kali): Metasploit Framework, Mimikatz, PowerShell reflective loaders, proof-of-concept kernel driver, proof-of-concept LKM rootkit. Memory analysis: Volatility 3 (primary), MemProcFS (complementary), WinDbg (kernel analysis), YARA (pattern matching), bulk_extractor (carving). Acquisition: WinPmem (Windows), LiME (Linux), hypervisor-based VMware .vmem extraction. Every tool pinned in the lab pack. When tools update and break playbooks, the version file updates; modules don't.

Why take this course

For forensic analysts, IR practitioners, and malware researchers moving into memory-resident threats. You finish able to investigate memory-only implants, process injection, and rootkits with Volatility 3 — the specialist capability that lets you work APT and fileless malware cases other investigators hand off.

What you will be able to do

1. Execute 7 distinct attacker techniques from Kali against Windows and Linux targets — reflective DLL injection, credential theft, fileless malware, persistence, kernel-level compromise, SSH brute force, and Linux rootkits — and produce reproducible memory artifacts for each.

2. Acquire memory from Windows and Linux systems using multiple methods and verify evidence integrity for court-defensible handling.

3. Identify the memory artifacts each attacker technique generates — what changes in the process list, VAD tree, handle table, kernel structures, and network connection tables.

4. Detect code injection, process hollowing, and reflective DLL loading by analysing the memory artifacts of attacks you have just executed.

5. Extract cached credentials from Windows LSASS and Linux credential stores, and explain the security boundary each caching mechanism assumes.

6. Detect kernel-level compromise on Windows (SSDT hooks, DKOM, callback manipulation) and Linux (LKM rootkits, syscall hooking, eBPF abuse).

7. Build memory-based timelines correlating attacker actions with memory artifacts, and correlate with disk and network evidence.

8. Produce investigation reports to the Ridgeline content standard — findings, confidence assessment, methodology documentation — using your own lab captures as evidence.

Course at a glance

Modules: 10 (MF0–MF9) across 4 phases

Estimated duration: 90+ hours (self-paced)

Format: Written content — attack playbooks, annotated Volatility 3 commands, SVG diagrams, worked examples, knowledge checks

Free content: MF0–MF1 (2 modules) — no account required

Paid content: MF2–MF9 (8 modules) — Specialist subscription

Deployable artifacts: Attack playbooks, memory analysis references, detection signatures, investigation report templates

Typical pace: ~10-18 weeks at 5 hrs/week

MITRE ATT&CK coverage: 23 techniques mapped

Built by Ridgeline Cyber

Ridgeline Cyber Defence builds security operations training grounded in practical and operational experience. The team behind this course runs CSOC operations across Microsoft 365, on-prem Windows, and Linux environments, and has led DFIR investigations where memory evidence was decisive.

Every attack in this course is one a practitioner has executed. Every analysis technique is one they use in real investigations. The memory artifacts you learn to recognise are the ones real attackers leave behind — taught by showing you how they leave them.

This is not a theoretical course. It is a practitioner course for practitioners.

What this course does NOT cover

Deliberate scope boundaries. If any of these is your primary need, the sibling course is the better fit.

Lab environment — what you build, what you capture

Three VMs, all on your own hardware. Target-Win — Windows 11 Evaluation (free 90-day), the primary victim for Windows attacks. Target-Linux — Ubuntu 22.04 LTS, the victim for the Linux module. Kali — Kali Linux (or Parrot OS), the attacker VM from which all attack playbooks run. All three on an isolated host-only network. No internet access required for attack execution. No callbacks to production systems. No risk to anything outside the lab.

Hardware requirement: 16GB RAM (32GB recommended), 300GB disk, modern CPU with virtualisation extensions. VMware Workstation Pro (free) or VirtualBox.

Learner-captured evidence library. By the end of the course you own 2 clean baseline captures (Windows and Ubuntu), 8 attack-specific compromised captures (one per paid module), and 1 capstone investigation capture from the chained attack in MF9. 11 memory images total — all captured by you, nothing hosted centrally, nothing shipped. Your lab. Your captures. Your reference library.

Lab Pack — Attack, Capture, Analyse

This course includes a complete lab pack with everything you need to run the attacks and investigate the results. Setup scripts configure all three VMs. Attack playbooks provide step-by-step commands for every module. Proof-of-concept source code for the kernel driver (MF6) and LKM rootkit (MF7) is included with build instructions. Progressive exercises at Standard, Hard, and Expert difficulty for every module. Self-grading verification scripts check your analysis output. HTML walkthroughs show the complete procedure. Investigation report templates match the course standard.

What's included: 3 VM setup scripts (Windows, Linux, Kali), 7 attack playbooks, PoC kernel driver C source with WDK build files, PoC LKM rootkit C source with Makefile, SSH brute-force wordlist, beacon script template, 21 practice exercises (Standard/Hard/Expert), 7 self-grading verification scripts, 10 HTML walkthroughs, 4 investigation templates (report, finding, timeline, persistence).

What's NOT included: Memory images (you capture your own — this is a core skill), pre-compiled binaries (you build the PoC tools from source), or analysis tools (Volatility 3, WinPmem, LiME — install per the Lab Setup Guide). This is by design. Capturing your own memory and building PoC tools from source are skills, not overhead.

Applied Memory Forensics Lab Pack v2.0
7 attacks · 10 walkthroughs · 21 exercises · 7 verification scripts · 4 report templates · PoC source code
Download Lab Pack (.zip)

Not a red team course

The attacks are scripted, minimal, reproducible. One command, or a short playbook. The goal is generating memory artifacts for analysis, not teaching offensive tradecraft. If you've never run Metasploit, you'll follow the playbook and it will work. The course assumes DFIR or SOC experience, not attacker experience.

The Kali box is a tool for creating evidence. Not a subject of study.

Prerequisites

Required: None. The course starts at the landscape level and builds structure knowledge from first principles. Existing Ridgeline courses strengthen your base but aren't required.

Useful if you have them: Practical IR — the investigation methodology this course applies to memory evidence. Practical Linux IR — baseline Linux forensics that MF7 extends into memory. Detection Engineering — the detection context in which memory artifacts matter.

Course Syllabus

Four phases. MF0–MF1 are free — no account required. MF2–MF9 are Specialist tier.

Free Phase 1 — Foundations

MF0
Memory Forensics Landscape and Lab Setup — Why memory forensics matters and the attack categories where memory is decisive. The three-category taxonomy of memory-resident evidence. The six-phase workflow: Acquire → Identify → Enumerate → Analyse → Correlate → Conclude. Physical vs virtual memory and why it matters for tooling. Volatility 3 and MemProcFS tool orientation. When WinDbg is the right tool. Evidence reliability and confidence assessment. Legal context for memory evidence. Lab setup: VMware, Target-Win, Target-Linux, Kali — the learner finishes this module with a working three-VM lab.
 MF1
Memory Acquisition — Baseline Captures and Evidence Integrity — The acquisition problem: smear, order of volatility, why perfect acquisition doesn't exist. Windows acquisition with WinPmem. Linux acquisition with LiME and AVML. Hypervisor-based acquisition (VMware .vmem) — the gold standard for the lab. Pagefile and swap as memory-adjacent evidence. Acquisition verification and integrity. Smear detection and acquisition quality. Anti-acquisition techniques. Build your evidence library: clean baseline captures of Target-Win and Target-Linux, documented to course standard.

Phase 2 — Windows Memory Analysis

MF2
Process Injection — Attack: Metasploit reflective DLL injection with Meterpreter migration into explorer.exe. The process abstraction in memory (EPROCESS, address space, threads, handles). VAD tree fundamentals. Execute the attack from Kali, acquire the compromised capture, analyse the injected region in explorer.exe's VAD tree. Process hollowing and doppelgänging variants. Extracting and analysing injected code. Variant exercise with a different migration target. Interactive lab: hunt three injection variants.
 MF3
Credential Theft — Attack: Mimikatz via Meterpreter against LSASS. LSASS and the authentication architecture. Extracting NTLM hashes and Kerberos tickets from LSASS with Volatility 3. Credential Guard and its forensic implications. Memory signatures of Mimikatz execution. Non-LSASS credential sources: browser credentials, DPAPI, Credential Manager. Variant exercise: Invoke-Mimikatz reflective execution with no binary on disk. Interactive lab: multi-host credential hunt across default, Credential Guard enabled, and PowerShell reflective configurations.
 MF4
Fileless Malware — Attack: PowerShell-based reflective loader delivered from Kali, payload loads into powershell.exe memory, nothing written to disk. The fileless malware problem. PowerShell as an attack vehicle (AMSI, CLM, bypass techniques). PowerShell process memory analysis. Extracting the in-memory payload. C2 configuration extraction from process heap. PowerShell event log correlation (4104 ScriptBlock). Variant: obfuscated payload de-obfuscated from memory. Interactive lab: three obfuscation levels.
 MF5
Persistence — Attack: scheduled task plus WMI event subscription established from Kali via Meterpreter. Persistence as an attacker investment. Scheduled tasks in memory. WMI event subscriptions in memory: CIM repository, __EventFilter, __EventConsumer, FilterToConsumerBinding. Registry in memory (CMHIVE structures, dirty pages vs disk state). Variant: startup folder and service persistence. Interactive lab: establish four persistence mechanisms, enumerate all from memory.
 MF6
Windows Kernel-Level Compromise — Attack: proof-of-concept kernel driver loaded with test-signing, registers a process creation callback. The Windows kernel object model. Loaded drivers enumeration: PsLoadedModuleList, driver objects, pool-tag-based discovery. Detecting the rogue driver. Kernel callbacks and notify routines. SSDT and IDT analysis. DKOM and PatchGuard. Variant: DKOM-unlinked driver recovered through pool scanning. Interactive lab: rootkit detection across three driver variants.

Phase 3 — Linux Memory Analysis

MF7
Linux Attack and Memory Analysis — Attack: SSH brute force from Kali, privilege escalation to root, PoC LKM rootkit loaded to hide processes and hook a syscall. Linux memory architecture: task_struct, mm_struct, VMA list, kernel vs user split. User-space analysis: task enumeration, SSH session reconstruction, bash command history in memory. Credential extraction from Linux memory (/etc/shadow, SSH agent keys, Kerberos caches). LKM rootkit detection: module list walk, slab scanning, syscall table integrity, VFS hooks. Variant: eBPF-based rootkit detected through BPF map enumeration. Interactive lab: full Linux investigation from brute force to kernel rootkit.

Phase 4 — Integration and Capstone

MF8
Memory Timeline Construction and Multi-Source Correlation — No fresh attack. This module synthesises your existing captures from MF2–MF7 into unified timelines. Memory timestamps and reliability: EPROCESS CreateTime, ETHREAD CreateTime, handle acquisition, connection creation. Building memory-only timelines. Memory-to-event-log correlation (Windows Security 4688, Sysmon 3, PowerShell 4104). Memory-to-disk correlation (file handles → MFT, process images → Prefetch). Memory-to-network correlation. Anti-forensic timeline manipulation and what memory timestamps resist. Interactive lab: unified timeline from three of your own captures.
 MF9
Capstone — Full Attack Chain Investigation — Multi-stage attack chaining techniques from MF2–MF6 — initial access, privilege escalation, credential theft, persistence, data staging. Execute the full chain in one session from Kali against Target-Win. Capture memory at three checkpoints. Perform the complete investigation: initial access analysis, privilege escalation and credential theft analysis, persistence and staging analysis, timeline reconstruction, report production, report critique. Interactive lab: variant attack chain executed and investigated independently, self-assessed against the reference report.

How to get the most from this course

Recommended pace: 1 module every 2–3 weeks, 90+ hours total over 6–9 months alongside a full-time role.

MF0 and MF1 are sequential. Lab setup and baseline captures are required before any paid content. Skipping them breaks every subsequent module.

Build your captures as you go. By MF9 you'll have 10+ memory images from your own attacks. Keep them — they become your personal reference library for every future investigation.

Support and community

Questions about course content: training@ridgelinecyber.com

Billing and account management: Self-service via your account page or training@ridgelinecyber.com

LinkedIn: Follow Ridgeline Cyber for operational security content and course updates

X: @RidgelineCyber

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use attack playbooks, analysis workflows, detection signatures, and templates from this course in your professional work. You may not redistribute course content, share account credentials, or republish course materials.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organisations, incidents, or individuals is coincidental.

Attack tools: Tools used in this course (Metasploit, Mimikatz, PoC rootkits) are permitted for educational use in isolated lab environments only. Running them against systems you do not own or do not have explicit authorisation to test is illegal in most jurisdictions and violates this course's terms of use.

Version and changelog

Current version: 3.0  |  Last updated: April 2026

v3.0 (April 2026): Complete course. 10 modules across 4 phases, structured around the attack-capture-analyse loop. Learner runs each attack from Kali, captures memory, analyses the result. 302,000+ words of content. Lab pack with setup scripts, PoC source code, exercises, verification scripts, and walkthroughs.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Distinction: 90. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.