Recommended first steps for a first-level analyst
The following recommendations should only be implemented by a person with some security expertise. If you do not have the necessary expertise to follow the instructions below, ask a specialist for help. If possible, communicate with them via secure channels using the guidelines in the Safer Communications section.
The first steps to take:
- If one of the indicators of compromise is an email, gather this header, and analyze them. Google also provides a simple tool that does this automatically.
- If possible, securely obtain the malware itself and look it up on Virus Total with the hashes to see if the file has already been uploaded.
- If the file is not confidential, you can also upload it on Malwr and analyze the result.
- If the suspicious file comes from a link, get the full URL and run it in:
What is next?
Step 1: Information collection for further analysis
The following information is critical for any further analysis, by you or by anyone else. It is recommended to collect most – and if possible all – of the information below for further analysis:
- Information on the system (hardware, OS details, including version and update status)
- Location of the victim and system localization (source IP, country, language of the user)
- List of users sharing the same device
- In case of suspicious email: full headers
- In case of a link: the full link, timestamp and screenshot
- It would also be useful to have a dump of the webpage, and a packet capture of the connection to it
- See tutorial on memory dumps by Circl
- See tutorial on disk images by Circl
- Results from tool of integrity check (if used)
- Evaluate possibility of remote forensics and if so, establish proper channel of communication
Step 2: Malware analysis
If you do not have the skills to process this information, pass it on to a trusted, trained malware expert or one of the following organizations:
EFF; mail: info[at]eff.org
Citizen Lab mail: info[at]citizenlab.org
CIRCL mail: info[at]circl.lu