Recommended first steps for a first-level analyst

The following recommendations should only be implemented by a person with some security expertise. If you do not have the necessary expertise to follow the instructions below, ask a specialist for help. If possible, communicate with them via secure channels using the guidelines in the Safer Communications section.

The first steps to take:

  • If one of the indicators of compromise is an email, gather this header, and analyze them. Google also provides a simple tool that does this automatically.
  • If possible, securely obtain the malware itself and look it up on Virus Total with the hashes to see if the file has already been uploaded.
  • If the file is not confidential, you can also upload it on Malwr and analyze the result.
  • If the suspicious file comes from a link, get the full URL and run it in:

What is next?

Step 1: Information collection for further analysis

The following information is critical for any further analysis, by you or by anyone else. It is recommended to collect most – and if possible all – of the information below for further analysis:

  • Information on the system (hardware, OS details, including version and update status)
  • Location of the victim and system localization (source IP, country, language of the user)
  • List of users sharing the same device
  • In case of suspicious email: full headers
  • In case of a link: the full link, timestamp and screenshot
  • It would also be useful to have a dump of the webpage, and a packet capture of the connection to it
  • See tutorial on memory dumps by Circl
  • See tutorial on disk images by Circl
  • Results from tool of integrity check (if used)
  • Evaluate possibility of remote forensics and if so, establish proper channel of communication

Step 2: Malware analysis

If you do not have the skills to process this information, pass it on to a trusted, trained malware expert or one of the following organizations:

EFF;  mail: info[at]

Citizen Lab mail: info[at]

CIRCL mail: info[at]