(Forensic) Malware Analysis = Reverse Engineering?

tXxc · October 14, 2020, 11:33am

Type your comment> @TazWake said:

Also, a vast majority of the time, malware analysis is looking at malicious documents and scripts rather than pulling apart the internals of a PE/ELF/Mach-O file. A malware analyst is likely to be using oletools as much as they use gdb. At a basic level, malware analysis can be as simple as dropping a file into PEStudio - that gets a massive amount of the information you need for DFIR.

Hello. Thank’s for your detailled answer.

The things you wrote about a malware analyst is the way I’m more interested. I think as a defender/blue teamer the identification of IOCs or

So, tl;dr - they are very similar. A good reverse engineer will be good at malware analysis. A good malware analyst will probably have learned reverse engineering.

@tXxc said:
Should I first start with some basics of RE and the dive deeper into MA?

I dont think it matters. If you start with RE of executables, the main MA you’d need to cover is the script/maldoc stuff. If you start with MA, then at somepoint you are going to need to learn RE.

I interpret this to mean, that I should just start with the ‘analysis’ of the forensics challenges. There is no straighter path. I think I will dive deeper into some topics, when I’m doing the tasks (e.g. usage of oletools, what means OLE, Visual Basic/macros, structure of excel documents etc… based on the challenge/topic)

Type your comment> @sparkla said:

I’m an expert in neither of those things but in my opinion to do proper MW you should be strong in RE, same time you gotta have the patience to reverse heavily obfuscated interpreter-code like JavaScript, PHP and as someone mentioned, Office documents, Word macros, etc. Good knowledge how DNS works in conjuction (C&C servers…) and knowledge of modern irl attack pathes would round that up.

The only thing I don’t see fitting here is Forensics: sure MWA is part of forensics, but other way round forensics is a lot more than MWA.

There’s couple of youtube channels dedicated to MWA that may give you an idea which organisations actually focus on MWA.

Yeah I think you are right. MWA is a part of forensics. So (in my opinion) if you know something about forensics, forensic-tools or a general procedure, would help you to get better in MWA. Or in general: there are different fields of expertise, that are relevant, if you want to get an expert in MWA.
Edit: I found the youtube-channel of “HackerSploit”. He has a playlist about MA. This looks pretty good.