Anuj Soni has written a fine post at the SANS Digital Forensics and Incident Response blog entitled How to Track Your Malware Analysis Findings. In the post, Anuj asserts that a truly successful malware analysis requires "both a well-crafted process and detailed documentation of the journey through that process". This is a spot on observation and it applies to investigations where documenting Internet identifier systems - domain names , Internet addresses, autonomous system numbers - is equally critical.
Anuj also mentions that "meticulous documentation allows you to easily retrace your analysis flow (particularly important if the work supports any litigation), and it facilitates information sharing so others can benefit from your analysis approach and results." These, too, are consistent with principles I've described in my Thought Paper on Domain Seizures and Takedowns.
Just as Anuj has created template to record analysis details when performing malware analysis of Windows executables, so have I created an Identifier Systems Investigations Template (ISIT), in Word. These templates have sections for:
- DNS and domain intel, including domain names of interest, class of abuse, name server and zone data of interest;
- Domain name registration information from domain whois;
- IP and ASN whois information; and
- Reputation data for domains, addresses, MX records and hosted or attachment malware.
In some respects, these templates might be more useful as web forms, especially in circumstances where you're investigating lists of domains and have whois records, dig output, raw email messages, web page screenshots, or HTML for each of these. I've identified places where you might want to link or upload files of supporting data should you choose to make web forms.
In the same spirit of sharing and learning as Anuj offered, feel free to use this template and tailor to your own methology. Email me with suggestions and I'll try to update regularly.
Comments
You can follow this conversation by subscribing to the comment feed for this post.