In my effort to finally catchup with some of the great ShmooCon talks, today I’m taking a look at NoVA local Richard “@xabean” Harman’s “Malware Analysis Collaboration Automation & Training” presentation. I’ve been interested in malware analysis lately as you may have noticed. At ShmooCon I didn’t get a chance to see Richard’s talk in person but it is definitely a must watch. Although he mostly focuses on setting up collaborative and classroom environments in the second part of the presentation, the first 15 minutes provides a nice overview for those interested in getting started in malware analysis.
The first slide lists a nice summary of the overall process that includes:
- Baseline System State
- Monitor & Log System Activity
- Infect System
- Suspend, Dump & Terminate Processes
- Stop Monitoring
- Review Monitored Activity
- Compare New State to Baseline
After that Richard touches on several tools that he likes to use in order to monitor activities in his analysis machine. These include:
- System Baseline: Regshot & Autoruns
- General Analysis: OfficeCat, FileInsight (hex editor), Wireshark, Didier Steves Tools
- Memory Analysis: Volatility Framework
- Logging/Tracing: OllyDbg & Plugins, IDA Pro, Procmon, Capturebat
For details on all these tools check out Richard’s abstract and full talk below.
Malware Analysis Collaboration Automation & Training
Whether you’re a novice or a professional at analyzing malicious code, you’ll have a desire to learn or pass on that skill. Most malicious code analysis is performed by a single analyst, some times with collaboration tools for sharing comments on code between two or more analysts. In this presentation you will learn how to set up a virtualized analysis environment that is suitable for solo analysis, training a classroom of students, passing an analysis VM between analysts, and a self-service analysis “session” playback of previous analysis sessions. All of this while not getting in your way, and making efficient use of RAM & disk space.
Today’s post pic is from CyberSquared.com. See ya!