Analysis of a Suspect Program

This chapter endeavors to establish a general guideline of the tools and techniques that can be used to examine malicious executable binaries in a Windows environment. There are a variety of Malware laboratory configuration options. In many instances, a specimen can dictate the parameters of the lab environment, particularly if the code requires numerous servers to fully function, or more nefariously, employs antivirtualization code to stymie the digital investigator's efforts to observe the code in a VMWare or other virtualized host system. Use of virtualization is helpful during the behavioral analysis of a malicious code specimen, as the analysis requires frequent stops and starts of the malicious program to observe the nuances of the program's behavior.