3 Phases of Malware Analysis: Behavioral, Code, and Memory Forensics

When discussing malware analysis, I've always referred to 2 main phases of the process: behavioral analysis and code analysis. It's time to add a third major component: memory analysis.

Here's a brief outline of each phase:

• Behavioral analysis examines the malware specimen's interactions with its environment: the file system, the registry (if on Windows), the network, as well as other processes and OS components. As the malware investigator notices interesting behavioral characteristics, he modifies the laboratory environment to evoke new characteristics. To perform this work, the investigator typically infects the isolated system while having the necessary monitoring tools observe the specimen's execution. Some of the free tools that can help in this analysis phase are Process Monitor, Process Explorer, RegShot and Wireshark. Several free on-line tools can automate some aspects of behavioral analysis; there are also several free frameworks you can use to script the analysis process in a local lab.
• Code analysis reverse-engineers the malicious program to understand the code that implements the specimen's behavior. When looking at compiled programs, this process involves using a disassembler, a debugger and, perhaps, a decompiler to examine the program's low-level assembly or byte-code instructions. A disassembler converts the instructions from their binary form into the human-readable assembly form. A decompiler attempts to recreate the original source code of the program. A debugger lets the analyst step through the most interesting parts of the code, interacting with it and observing the effects of its instructions to understand their purpose. OllyDbg and IDA Pro Freeware are popular free disassembler/debuggers that can handle Windows programs.
• Memory analysis examines memory of the infected system to extract artifacts relevant to the malicious program. In the context of reverse-engineering malware, memory analysis can help identify malicious code that is trying to hide itself (i.e., rootkits), can clarify the program's run-time dependencies, and can explain how the specimen was used on the victim's system. Memory analysis saves time and allows the investigator to take shortcuts when studying the specimen's behavior or code. Free tools for performing memory analysis are The Volatility Framework and its malware-related plugins, as well as Memoryze and the associated Audit Viewer program.

The three malware analysis phases are intertwined with each other. The investigator might start with behavioral analysis to get a quick sense for the specimen's capabilities, then reinforce the initial findings by looking at its code, then explore additional aspects of the malicious program by examining the infected system's memory. The investigator will keep jumping between phases, not necessarily in any particular order, until he or she develops a sufficient understanding of the specimen's capabilities.

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and writes a security blog.