Chapter 2: The Basics of Malware Analysis

[ApexPredator-InfoSec]

I'm thinking with this one that I'll start with a little bit about how I got in to doing malware analysis with some personal anecdotes. Go over some techniques for identifying malware and pulling out IOCs. A little advice on Incident Response for malware. Cover a canned walk thru of basic techniques analyzing malware. And then talk about resources or next steps to take it to an intermediate level or to look at doing it professionally. I plan to keep it at the basic level for people who are interested but have never done any malware analysis. It could then tie in to intermediate or advanced techniques in another chapter or book by someone else later.

[AndrewRathbun]

I'm thinking with this one that I'll start with a little bit about how I got in to doing malware analysis with some personal anecdotes. Go over some techniques for identifying malware and pulling out IOCs. A little advice on Incident Response for malware. Cover a canned walk thru of basic techniques analyzing malware. And then talk about resources or next steps to take it to an intermediate level or to look at doing it professionally. I plan to keep it at the basic level for people who are interested but have never done any malware analysis. It could then tie in to intermediate or advanced techniques in another chapter or book by someone else later.

That sounds great. Planning on any graphics? ShareX is a great, free tool to markup screenshots. Or a trial of SnagIt, which is what I use.

[ApexPredator-InfoSec]

I do plan on screen shots. I'll look into ShareX. I usually use the Windows Snipping tool for when I'm taking notes or putting together a hasty writeup or walkthrough on my GitHub.

[AndrewRathbun]

I do plan on screen shots. I'll look into ShareX. I usually use the Windows Snipping tool for when I'm taking notes or putting together a hasty writeup or walkthrough on my GitHub.

Windows snipping tool is fine but ShareX has a nice editor post-screenshot. SnagIt is even better but it's not free. Again, a trial would probably be good enough to get what you need so consider that. I use SnagIt literally every day haha.

[AndrewRathbun]

ShareX is also my go-to gif creator but that won't help us on this project 😋

[ApexPredator-InfoSec]

I should have my rough draft complete and uploaded by this weekend.

[AndrewRathbun]

Good deal. For your chapter, do you want to stick with your online pseudonym or use your real name? Either is fine, I just want to know what yours thoughts were.

[ApexPredator-InfoSec]

Originally I was going to stay under pseudonym, I'm debating whether or not I want to change my mind though.

[ApexPredator-InfoSec]

my draft is uploaded

[AndrewRathbun]

Awesome work, thank you! I'll take a stab at some proofreading, Markua editing, code blocking, etc from the brief bit I saw just now. I'll do my full read through as I go through a run of formatting quality control 👍

[ApexPredator-InfoSec]

Thanks. It will probably need some edits for clarity and grammar. I was mostly just focused on getting it done and not trying to perfect it yet so that I could at least produce something. I will also do some proof reading over the next week or so.

[AndrewRathbun]

That was definitely the right approach. Creating content is the hardest part of the process. Peer review and proofreading can happen whenever it happens, but it can't happen without the content existing in the first place. Thanks again for doing that!

[ApexPredator-InfoSec]

I got a couple of people to peer review it. No issues from either on the technical accuracy but did get some pointers on improving the quality of the content so I'll be working on that over the next couple of weeks.

[AndrewRathbun]

Awesome, thank you for the status update! Looking forward to it.

[ApexPredator-InfoSec]

I added more content. Probably still needs editing.

[AndrewRathbun]

I just skimmed through it and it was a great read. I'll give it an editing pass in a week or so when I'm done with my research paper so I'll be able to dedicate all my time to editing content in this repo.

Nice work!

[ApexPredator-InfoSec]

I removed the writing in-progress label since the content is basically done. There may be additional content added if deemed necessary during editing but it would be small amounts.

[AndrewRathbun]

I removed the writing in-progress label since the content is basically done. There may be additional content added if deemed necessary during editing but it would be small amounts.

awesome, thank you! I will ramp up revising and editing efforts in July

[AndrewRathbun]

This chapter will definitely make v1.0 when it goes live in early August 👍 thank you for your efforts @ApexPredator-InfoSec

[ApexPredator-InfoSec]

Awesome. I really appreciate this opportunity and look forward to future collaboration.

[AndrewRathbun]

I will review this one next FYI.

[AndrewRathbun]

@ApexPredator-InfoSec Process Hacker is now called System Informer. This is a very recent change. Should we consider adding verbiage similar to "System Informer, formerly Process Hacker, is a...."? Let me know your thoughts!

https://github.com/Digital-Forensics-Discord-Server/TheHitchhikersGuidetoDFIRExperiencesFromBeginnersandExperts/blob/a440d99ffb5711cab5f56217890fc49782fc1b29/manuscript/chapter3.txt#L52

https://github.com/Digital-Forensics-Discord-Server/TheHitchhikersGuidetoDFIRExperiencesFromBeginnersandExperts/blob/a440d99ffb5711cab5f56217890fc49782fc1b29/manuscript/chapter3.txt#L56

https://github.com/Digital-Forensics-Discord-Server/TheHitchhikersGuidetoDFIRExperiencesFromBeginnersandExperts/blob/a440d99ffb5711cab5f56217890fc49782fc1b29/manuscript/chapter3.txt#L60

EDIT: https://github.com/winsiderss/systeminformer is the GitHub repo for System Informer formerly Process Hacker

[AndrewRathbun]

https://www.nirsoft.net/utils/registry_changes_view.html is another tool for Registry comparison. It's still being actively developed whereas RegShot isn't anymore, it seems. Not suggesting to remove RegShot and replace with this NirSoft tool, but just bringing it up as an alternative in case you wanted to add a blurb.

[AndrewRathbun]

First pass edits are up. Great work @ApexPredator-InfoSec!

[AndrewRathbun]

@ApexPredator-InfoSec I just added a couple more subheadings so the PDF's sections looked cleaner than this:

Now it looks like this:

Feel free to adjust as you see fit!

[ApexPredator-InfoSec]

@ApexPredator-InfoSec Process Hacker is now called System Informer. This is a very recent change. Should we consider adding verbiage similar to "System Informer, formerly Process Hacker, is a...."? Let me know your thoughts!

https://github.com/Digital-Forensics-Discord-Server/TheHitchhikersGuidetoDFIRExperiencesFromBeginnersandExperts/blob/a440d99ffb5711cab5f56217890fc49782fc1b29/manuscript/chapter3.txt#L52

https://github.com/Digital-Forensics-Discord-Server/TheHitchhikersGuidetoDFIRExperiencesFromBeginnersandExperts/blob/a440d99ffb5711cab5f56217890fc49782fc1b29/manuscript/chapter3.txt#L56

https://github.com/Digital-Forensics-Discord-Server/TheHitchhikersGuidetoDFIRExperiencesFromBeginnersandExperts/blob/a440d99ffb5711cab5f56217890fc49782fc1b29/manuscript/chapter3.txt#L60

EDIT: https://github.com/winsiderss/systeminformer is the GitHub repo for System Informer formerly Process Hacker

I think that would be a good idea to make those changes.

[ApexPredator-InfoSec]

I made those suggested edits

[AndrewRathbun]

Great. I saw a minor change that needs to be made on the NirSoft section but I'll handle it when I'm at a computer next. Cheers!

[AndrewRathbun]

https://github.com/Digital-Forensics-Discord-Server/TheHitchhikersGuidetoDFIRExperiencesFromBeginnersandExperts/commit/0dc271d43bbb5f22c44315073547f8c6bc475edd

minor changes made!

[AndrewRathbun]

As we approach publishing v1 of this book, please review the most recent files uploaded to this folder and ensure your chapter looks the way you want it to. If not, please make appropriate adjustments and advise me to regenerate the preview book files.

Additionally, if you've not been invited to the book on Leanpub yet, please provide me with an email address so I can invite you on there.

Thank you for completing your chapter! I hope this has been a fulfilling experience for you!