Having fun while learning about and pivoting into the world of DFIR.
by ogmini
Continuation from Part 5 looking back at my coursework in the Master’s Degree in Digital Forensic Science. In this post, I’ll be talking about DFS-540 Malware Analysis.
I REALLY enjoyed this course and my only wish was that it was longer. It tickles that programmer inside me. Instead of debugging my own code, I’m trying to debug and reverse engineer someone else’s code. Many programmers would agree that you can get to know a fellow programmer by reading and understanding their programming style and code. I’d love to get to “know” malware authors.
One potential weakness to this course is that all the assignments relied on very well documented malware samples. Many are taken from the very good book, “Practical Malware Analysis”. This can lead to easily completing the assignments via Google and finding existing writeups. I guess you can still learn a lot from reading the writeups; I just feel you would miss out on the actual “hunt” or real analysis of the malware samples.
I found all the labs to be enjoyable and the class had some very good discussions as always. A majority of the class focused on Windows malware with one lab involving an Android malware sample. The class definitely barely touched the surface that is the field of malware analysis. There is just so much to unpeel and the more you unpeel the more complex it gets. I do wish the class materials had introduced us to Ghidra instead of IDA. Ghidra appears to be the more modern and more importantly free choice. Something that I could use on my own to practice malware analysis. I was introduced to a lot of different tools in a short time though.
One thing I’ve always wondered, how many malware analysts started or had/have experience with writing cracks for software copyright protection or hobbyist reverse engineering projects. You have to have a very good grasp of low level assembly and the ability to see the trees through the forest. I’m reminded of a Wired article about an individual who cracks Denuvo protection and some of their quotes such as “i always keep in the ZONE till i crush their pathetic puzzle prisons”. That to me distills the challenge of malware analysis. It takes a certain type of individual to REALLY be good at it. I guess the good thing is that most malware authors aren’t that good.
Writing this post reminds me that I really need to carve out the time to finish TCM Security’s Practical Malware Analysis & Triage course.