MALWARE ANALYSIS BASICS Analyzing a programs behavior can be done in various ways.

By using static analysis, the program is analyzed by using tools like disassemblers, decompilers, source code analyzers and basic utilities such as strings, grep without executing the program. But static analysis is best for smallest programs only to fully predict the behavior but not in the case for larger programs. By using Dynamic analysis, the program is analyzed by using tools like debuggers, function call tracers, machine emulators, logic analyzers and network sniffers with the execution of the program. The advantage of the dynamic analysis is fast and accurate and the major disadvantage is what you see is all you get. Because of this reason, it is not possible to predict the behavior of a non-trivial program and it is also not possible to make a non-trivial program traverse all paths through its code. Post-mortem analysis is the only tool available after an incident and is the study of program behavior looking at the after effects of execution. Examples of post-mortem analysis includes local or remote logging, changes to file contents or to file access time pattern, deleted file information, data that was written to swap space, data that still lingers on in memory, and information that was recorded outside the machine. The main disadvantage of this Postmortem analysis is the information disappears over time as normal system behavior erode away the evidence. Dynamic Program analysis is the fast and accurate to test the behavior of the program by executing it in the system and it is not advisable to run the program execution in their environment since running an unknown program could destroy all information on the machine or it could send threatening email to other user through network. To avoid this kind of problem, it is advisable to run an unknown program in a Sandbox. The Sandbox is a term represents stolen from ballistics, where the people test weapons by shooting bullets into a box filled with sand, so that no harm will occur due to this effect. Likewise, the software Sandbox is a prohibited environment for running software and implemented in several ways such as sacrificial lamb or by using subtle techniques. Dynamic analysis is not recommended without safeguards like Sandbox software.

Forensic Discovery, Wietse & Dan

http://www.porcupine.org/forensics/forensic-discovery/
"Forensic Discovery" book by Dan Farmer and Wietse Venema, published in 2004 by Addison-Wesley.