SANS Digital Forensics and Incident Response Blog: Daily Archives: Oct 11, 2010

3 Phases of Malware Analysis: Behavioral, Code, and Memory Forensics

When discussing malware analysis, I've always referred to 2 main phases of the process: behavioral analysis and code analysis. It's time to add a third major component: memory analysis.

Here's a brief outline of each phase:

  • Behavioral analysis examines the malware specimen's interactions with its environment: the file system, the registry (if on Windows), the network, as well as other processes and OS components. As the malware investigator notices interesting behavioral characteristics, he modifies the laboratory environment to evoke newcharacteristics. To perform this work, theinvestigatortypically infects the isolated system while having the necessary monitoring tools observe the specimen's execution. Some of the free tools that can help in this analysis phase are Process Monitor,