The FOR610 course, which I teach at SANS Institute, explains how to reverse-engineer malicious software. The following note summarizes my recommendations for what to include in the report that describes the results of the malware analysis process.
A typical malware analysis report covers the following areas:
Malware analysis should be performed according to a repeatable process. To accomplish this, the analyst should save logs, take screen shots, and maintain notes during the examination. This data will allow the person to create an analysis report with sufficient detail that will allow a similarly-skilled analyst to arrive at equivalent results.
A convenient way of keeping track of your observations during the reverse-engineering process is to use a mind map, which organizes your notes, links, and screenshots on a single easy-to-see canvas. You can download my mind map template for such a report in several formats: FreeMind file (mm), XMind file (xmt) format and MindManager file (mmat).
Authored by Lenny Zeltser. Lenny is a business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania. You can follow Lenny on Twitter, read his blog and circle him on Google+.
Copyright © 1995-2013 Lenny Zeltser. All rights reserved. RSS Feed.
The information on this site does not necessarily represent positions or opinions of my employer.