Skip to main content

Part2 :Malware Analysis

      1. What are some essential skills for a malware analyst?


2. How can I practice analyzing malware safely?

3. What are some common types of malware and how do they work

4. What tools and techniques are used in malware analysis?



1. What Is Malware?

Malware is a code that performs malicious actions; it can take the form of an executable,

script, code, or any other software. Attackers use malware to steal sensitive information,

spy on the infected system, or take control of the system. It typically gets into your system

without your consent and can be delivered via various communication channels such as

email, web, or USB drives.


The following are some of the malicious actions performed by malware:

Disrupting computer operations

Stealing sensitive information, including personal, business, and financial data

Unauthorized access to the victim's system

Spying on the victims

Sending spam emails

Engaging in distributed-denial-of-service attacks (DDOS)

Locking up the files on the computer and holding them for ransom


2. What Is Malware Analysis?

Malware analysis is the study of malware's behavior. The objective of malware analysis is

to understand the working of malware and how to detect and eliminate it. It involves

analyzing the suspect binary in a safe environment to identify its characteristics and

functionalities so that better defenses can be built to protect an organization's network.



3. Why Malware Analysis?

The primary motive behind performing malware analysis is to extract information from the

malware sample, which can help in responding to a malware incident. The goal of malware

analysis is to determine the capability of malware, detect it, and contain it. It also helps in

determining identifiable patterns that can be used to cure and prevent future infections



4. Types Of Malware Analysis

To understand the working and the characteristics of malware and to assess its impact on

the system, you will often use different analysis techniques. The following is the

classification of these analysis techniques:



Static analysis: This is the process of analyzing a binary without executing it. It is

easiest to perform and allows you to extract the metadata associated with the

suspect binary. Static analysis might not reveal all the required information, but

it can sometimes provide interesting information that helps in determining

where to focus your subsequent analysis efforts



Dynamic analysis (Behavioral Analysis): This is the process of executing the

suspect binary in an isolated environment and monitoring its behavior. This

analysis technique is easy to perform and gives valuable insights into the activity

of the binary during its execution. This analysis technique is useful but does not

reveal all the functionalities of the hostile program


Code analysis: It is an advanced technique that focuses on analyzing the code to

understand the inner workings of the binary. This technique reveals information

that is not possible to determine just from static and dynamic analysis. Code

analysis is further divided into Static code analysis and Dynamic code analysis. Static

code analysis involves disassembling the suspect binary and looking at the code to

understand the program's behavior, whereas Dynamic code analysis involves

debugging the suspect binary in a controlled manner to understand its

functionality. Code analysis requires an understanding of the programming

language and operating system concepts



Memory analysis (Memory forensics): This is the technique of analyzing the

computer's RAM for forensic artifacts. It is typically a forensic technique, but

integrating it into your malware analysis will assist in gaining an understanding

of the malware's behavior after infection. Memory analysis is especially useful to

determine the stealth and evasive capabilities of the malware




Integrating different analysis techniques while performing malware

analysis can reveal a wealth of contextual information, which will prove

to be valuable in your malware investigation

Labels:

Comments

Post a Comment

Popular posts from this blog

Chain of Custody – Digital Forensics

  Chain of Custody – Digital Forensics Chain of Custody refers to the logical sequence that records the sequence of custody, control, transfer, analysis and disposition of physical or electronic evidence in legal cases. Each step in the chain is essential as if broke, the evidence may be rendered inadmissible. Thus we can say that preserving the chain of custody is about following the correct and consistent procedure and hence ensuring the quality of evidence. The chain of custody in digital cyber forensics is also known as the paper trail or forensic link, or chronological documentation of the evidence. ·         Chain of custody indicates the collection, sequence of control, transfer and analysis. ·         It also documents details of each person who handled the evidence, date and time it was collected or transferred, and the purpose of the transfer. ·         It de...
Post a Comment
Read more

Part 1: Introduction to Computer Forensics for Windows

  Part 1: Introduction to Computer Forensics for Windows: https://tryhackme.com/room/windowsforensics1 Microsoft Windows is by large the most used Desktop Operating System right now. Private users and Enterprises prefer it, and it currently holds roughly 80% of the Desktop market share. This means that it is important to know how to perform forensic analysis on Microsoft Windows for someone interested in Digital Forensics. In this module, we will learn about the different ways we can gather forensic data from the Windows Registry and make conclusions about the activity performed on a Windows system based on this data. In computer forensics, forensic artifacts can be small footprints of activity left on the computer system. On a Windows system, a person's actions can be traced back quite accurately using computer forensics because of the various artifacts a Windows system creates for a given activity. These artifacts often reside in locations 'normal' users won't t...
Post a Comment
Read more

Step 2 : Collection & Preservation of evidence

Step 2 :  Collection  & Preservation of evidence   The collecting process in digital forensics is a critical phase of the investigation. It involves the systematic and careful acquisition of digital data from electronic devices or storage media in a manner that preserves the integrity and authenticity of the evidence. The following are the steps involved in the collecting process: Collection : This step involves the actual acquisition of the data from the device or storage media. This can be done by using a variety of techniques, including   Imaging : The first step in the collection process is to create a forensic image of the digital device or media that is being investigated. This involves creating an exact copy of the device or media, including all data, file systems, and metadata. The imaging process ensures that the original evidence is preserved and can be examined without altering it.  Live analysis: In some cases, it may be necessary to conduct...
Post a Comment
Read more