Windows Memory & User Activity
Premium roomTrace user behavior, command execution, file access, and macro-based payload delivery from memory.
medium
To access material, start machines and answer questions login.
In this room, we’ll walk through how to investigate user activity from a Windows memory dump using Volatility 3. As analysts, it's important to know what users were doing on a system at the time something suspicious occurred. That includes knowing who was logged in, what commands were executed, and what files were opened, among other activities.
This room is the second in a set of three. We’ll be working with a memory dump from a compromised machine on a small internal network. If the host is indeed compromised, we will need to piece together the scope of the attack and the attack chain.
Learning Objectives
- Link logins to suspicious activity using session and registry data.
- Identify commands and file access tied to suspicious access.
- Reconstruct user actions from memory.
Prerequisites
Click to continue to the room.
Ready to learn Cyber Security?
The Windows Memory & User Activity room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in