Digital Forensics: Malware Forensics and Reverse Engineering Foundations

FACT Digital Forensics paper drill on malware forensics from the analyst's bench, covering the classical taxonomy of viruses, worms, and Trojans, the ransomware family with its locker and crypto classes and the worm-style propagation behind WannaCry 2017 and NotPetya 2017 through the EternalBlue SMBv1 exploit, the spyware versus adware distinction, user-mode and kernel-mode rootkits and hardware keyloggers, fileless malware that lives in memory through PowerShell and WMI, static analysis of the Windows Portable Executable (PE) format with its DOS header, NT headers, and Import Address Table (IAT), the Linux Executable and Linkable Format (ELF) defined in the System V ABI, the strings utility for fast triage, YARA pattern matching, the Mandiant imphash, packer recognition through UPX section names and high entropy, dynamic analysis with the Cuckoo and CAPE sandboxes, Sysinternals Process Monitor on Windows, Wireshark for command-and-control traffic capture inside the sandbox, anti-VM checks through CPUID and MAC OUI inspection, reverse engineering with Ghidra (NSA, 2019) and x64dbg, the IoC taxonomy spanning hashes, IP addresses, domains, registry keys, and mutexes, OASIS STIX and TAXII for threat intelligence sharing, David Bianco's Pyramid of Pain (2013), and the MITRE ATT&CK tactics and techniques matrix.

For FACT aspirants and MSc digital forensics students working through malware analysis and incident response modules, and useful as a revision pass before NFSU MSc, GREM, GCFA, and CHFI exams. Questions emphasise definitions, tooling, and the registry and file system artefacts an incident responder hunts for, with explicit references to NIST SP 800-83, NIST SP 800-86, and the standard textbooks by Sikorski and Honig, Ligh and colleagues, and Casey.

Topics covered:

• Malware taxonomy: virus, worm, Trojan, ransomware, spyware, adware
• Rootkits, keyloggers (hardware and software), and fileless malware
• Static analysis: PE format, ELF format, strings, YARA, imphash, packers
• Dynamic analysis: Cuckoo and CAPE sandboxes, Process Monitor, Wireshark, anti-VM
• Reverse engineering: Ghidra and x64dbg user-mode debugging
• Indicators of Compromise, STIX and TAXII, Pyramid of Pain, MITRE ATT&CK
• Persistence: Windows Run keys, Scheduled Tasks, Linux cron and systemd
• Memory forensics with Volatility and the order of volatility (RFC 3227, NIST 800-86)

Useful for revision and self-testing before the FACT Digital Forensics paper.

Allow 30 minutes.