File analysis: What is this file? Broad steps...

  1. Details about where we found this file.
  2. Hash it to obtain "fingerprint" of this file to find identical files.
  3. "Fuzzy" hash it to find similar files.
  4. Classify its format, target architecture (hardware and software), the language it was written in, and the compiler/assembler used to create it.
  5. Scan the file for malware signatures
  6. Analyze the file for malware properties (are there oddly obfuscated areas? are there odd calls?)
  7. Extract strings and any symbol table information
  8. Look for armoring, such as wrappers, packers, or encryption — very few legitimate executables have any need for these
  9. Look at the linking: is it statically linked? Is it dynamically linked? If dynamically linked, what shared libraries does it use?
  10. Look online to see other people have more information about the file


slide 1/13
* help? contents? restart?Florida State University, 2018