When discussing malware analysis, I’ve always referred to 2 main phases of the process: behavioral analysis and code analysis. It’s time to add a third major component: memory analysis.
The three malware analysis phases are intertwined with each other. The investigator might start with behavioral analysis to get a quick sense for the specimen’s capabilities, then reinforce the initial findings by looking at its code, then explore additional aspects of the malicious program by examining the infected system’s memory. The investigator will keep jumping between phases, not necessarily in any particular order, until he or she develops a sufficient understanding of the specimen’s capabilities.
Lenny Zeltser focuses on safeguarding customers’ IT operations at NCR Corporation. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and writes a security blog.
