Malware analysis, or malware reverse engineering, is a highly technical and specialized field in forensics. Anti-virus and threat intelligence utilizes a highly trained cadre of programmers and forensic personnel who acquire malware from the wild, and then rip it open to determine what it does, how it does it, and who may be responsible for it. This is done utilizing two types of analysis: static and dynamic. Like much of digital forensics, each type of analysis affords some advantages, and incident response analysts should be familiar with both.

An excellent malware analysis methodology was created by Lenny Zeltser, a malware analysis professional who has an excellent array of resources on his website at https://Zeltser.com. This methodology comprises the following seven steps that aid analysts in their process:

1. Create a controlled laboratory environment where examinations can be conducted.
2. Examine the behavior of the suspected malware as it interacts with the Operating System (OS) environment.
3. Examine the suspicious application's code, to gain a sense of the inner workings.
4. Perform a dynamic analysis, to determine what actions to take that could not be identified in the static analysis.
5. Determine if the malware is packed, and unpack as necessary.
6. Continue the process, until the analysis objectives have been completed.
7. Prepare a supplement to the forensics reporting and return the laboratory to the state prior to the analysis.

Let's look at static analysis.