Skip to main content


Showing posts from 2019

Top Readings for InfoSec

Over the years, I’ve been asked what books and/or websites I’d recommend to those getting into the field of cyber security, focusing on malware analysis and incident response. While it’s hard to beat “on the job experience”, other materials such as hands-on labs, capture the flag events, books and other free online resources are a great start. Of course, reading a book is only good if you enjoy the topic ;). I’ve broken down the topics below based on category. I highly recommend working through the labs and rereading any chapters that need additional clarification. This blog can also be found on Medium: ( ) Incident Response: Incident Response & Computer Forensics, Third Edition Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory Red Team Field Manual If your goal is to work i

Basic Dynamic Analysis - PE

As mentioned in my prior post ( Medium / StillzTech ), malware analysis can be grouped into four categories: Basic Static  Basic Dynamic - PE File (what this post will cover) Advanced Static Advanced Dynamic As stated in my prior post, we perform basic static analysis first to understand the executable’s “potential” capabilities and structure. Some questions we aim to answer during basic static analysis: What libraries does the PE file import, including functions / ordinals? Why? This may indicate the file has the “capability” to log to a text file and read credit card track data from memory, indicating you’re dealing with some point of sale malware. What unique strings stand out? Why? Some malware may contain the PDB file (debugger symbols) or original code file path, which can be used to find related malware or identify the malware itself. What language was the PE file written in? Why? Depending on the language the executable was written in, you might b

Revealing malware relationships with GraphDB: Part 1

In this post, we will learn how using a Graph Database like Neo4j can help visualize malware relationships and extend these relationships to identify patterns between samples. Before we dig into Neo4j, let’s start with some fundamental graph terminologies:    Nodes represent entities such as a human, car, laptop or phone. Properties are attributes nodes can contain. A steering wheel or tires would be a property of the “car” node. Labels are a way to group together nodes of a similar type. For example, a label of “FastFood” may include nodes such as “Taco Bell, McDonald’s, and Chipotle”. Edges (or vertices) represent the relationship connection between two nodes. Relationships can also have their own properties. Getting started with Neo4j Link: Neo4j is a Graph Database commonly known for its pure simplicity and easy to use interface. I find the structure of a graph database quite fascinating, on top of learning how to normalize malware analysis