Affiliate disclosure
Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases — at no additional cost to you.
Chapter 32 — Further Reading
Foundations (🔬 / deeper)
- "Practical Malware Analysis" — Sikorski & Honig (No Starch Press). The canonical textbook: the safe lab, static and dynamic analysis, the PE format, anti-analysis, and (further than this chapter goes) hands-on reverse engineering, with labs and a solutions key. If you read one book after this chapter, read this one.
- "Learning Malware Analysis" — Monnappa K A (Packt). A modern, example-driven companion strong on dynamic analysis, memory forensics integration, and code-injection techniques — excellent for turning the chapter's concepts into muscle memory.
- "The Art of Memory Forensics" — Ligh, Case, Levy & Walters (Wiley). Where the running malware gets analyzed; the natural pairing with Chapter 22 and with the YARA-in-memory technique from this chapter. Its companion, the "Malware Analyst's Cookbook," is a recipe shelf for the tasks here.
Approachable explanations (everyone)
- MITRE ATT&CK (
attack.mitre.org). The free, browsable taxonomy behind every technique ID in this chapter. Look upT1547.001,T1055,T1071.001and read the detection guidance — it tells you what to hunt for, not just what to name. - David Bianco, "The Pyramid of Pain" (the original blog post). Two pages that reframe IOC production for life: invest detection effort where it hurts the attacker, not where it is easiest to collect.
- OALabs, MalwareTech, and Marcus Hutchins / @herrcore (YouTube & blogs). Free, superbly clear walk-throughs of real samples — unpacking, config extraction, and "what does this actually do" — that show the tools of this chapter in motion.
In practice (💾 Recovery · 🔍 Examiner · 🛡️ IR · 📜 Legal)
- 🛡️ REMnux (
remnux.org, Lenny Zeltser) & FLARE-VM (github.com/mandiant/flare-vm). The two free platforms the chapter is built on. Install both in an isolated hypervisor — this is your lab. - 🛡️ CAPE Sandbox (
github.com/kevoreilly/CAPEv2) and Cuckoo. Self-hosted automated sandboxes with automatic unpacking and config extraction — the OPSEC-correct choice for targeted samples. - 🔍 YARA documentation (
yara.readthedocs.io) and Sigma (github.com/SigmaHQ/sigma). The two detection languages to actually write in — files/memory and logs respectively. Read real rules in the SigmaHQ repo to learn idiom. - 💾 No More Ransom (
nomoreransom.org) and the Emsisoft decryptor list. Where family attribution becomes free recovery — the Crypto Sheriff identifies a family from a note and a sample, and lists whether a decryptor exists (Case Study 1's lifeline). - 🛡️ The DFIR Report (
thedfirreport.com) and abuse.ch (MalwareBazaar, URLhaus). Real intrusion write-ups full of IOCs and TTPs, plus a community sample source for safe practice. - 📜 SANS FOR610 / GREM. The reverse-engineering-malware course and certification path; pairs with the legal-authority material in Chapter 25 for handling samples lawfully.
Reference (this book)
- Appendix A — File Signatures Reference: the
MZ/PE\0\0/\x7fELFmagic bytes for carving executables. - Appendix B — Python Forensics Toolkit: the
pe_triage.pyimports-and-entropy script. - Appendix C — Tool Reference and Appendix J — Practice Images and Lab Setup: every tool named here, plus where to safely source samples and build the lab.
- Chapter 22 — Memory Forensics · Chapter 12 — Ransomware Recovery · Chapter 30 — Anti-Forensics: the chapters this one threads back to.
Do, don't just read
- Stand up the lab. Build REMnux + FLARE-VM on a host-only network with snapshots; verify the network adapter is isolated with your own eyes before anything else.
- Triage a real sample safely. Pull a known sample from MalwareBazaar (password-protected zip), and run the full static pass —
file, hashes,strings(both encodings),pefile, section entropy — without ever uploading it. - Write and run a YARA rule keyed to a durable indicator, then scan a folder and a memory image with it.
- Practice the mechanics on safe software: UPX-pack a copy of
notepad.exe, watch the entropy jump and the imports shrink, and run Regshot around a benign installer to see Run-key and file changes appear.
Next: Chapter 33 — Cryptocurrency Investigation: follow the money the weapon was built to extract — trace the wallets, cluster the addresses, and turn the ransom demand into a blockchain trail.