DFIR Lab

What is basic static analysis

Basic static analysis is the process of examining a file, program, or piece of software without executing it, to understand its structure, contents, and likely behavior. It’s widely used in malware analysis, vulnerability research, reverse engineering, and forensics because it’s safe (no execution) and often fast.

What you inspect (common artifacts)

  • File identification and metadata: filename, size, file type/magic bytes, timestamps, digital signatures/certificates.
  • Cryptographic hashes: MD5/SHA1/SHA256 for triage, lookup, and tracking.
  • Strings: readable ASCII/UTF-16 text that can reveal URLs, file paths, commands, error messages, or embedded secrets.
  • Imports/API calls: libraries and functions the binary references (e.g., networking, process creation, crypto) suggest capabilities.
  • Sections/layout: code, data, resources, PE/ELF/Mach-O headers and section names/permissions.
  • File format specifics: PE (Windows), ELF (Linux), Mach-O (macOS), APK (Android), JAR/.class (Java), scripts.
  • Embedded resources: icons, config blobs, certificates, compressed blobs, embedded scripts.
  • Entropy and packing indicators: high entropy, unusual sections, or compression/encryption hints that the file is packed/obfuscated.
  • Signatures and YARA rules: matches to known families or malicious patterns.
  • Decompiled/disassembled code (static): control flows, strings referenced from code, suspicious routines.

Typical basic static-analysis workflow

  1. Acquire file copy and take hashes.
  2. Identify file type (magic bytes, file utility).
  3. Run quick triage: AV scan, YARA, reputation/lookup (VirusTotal, threat intel).
  4. Extract readable strings and metadata.
  5. Inspect imports, libraries, and header fields (PE/ELF/Mach-O tools).
  6. Check entropy and section layout for packing.
  7. If needed, open in a disassembler/decompiler to read code paths at a high level.
  8. Document findings and decide whether to escalate to dynamic analysis.

Common tools (examples)

  • File utilities: file, binwalk, exiftool
  • Strings: strings (Sysinternals), binwalk strings
  • Format-specific: readelf, objdump, dumpbin, pefile, lief
  • Disassembly/decompilation: Ghidra, IDA, radare2, Hopper
  • Triage/reputation: VirusTotal, MalwareBazaar, YARA
  • Hex editors: HxD, bless
  • Entropy and packing: upx, detect tools (but avoid unpacking malicious code without safe lab)

Benefits

  • Safe: no execution means no risk of immediate compromise.
  • Fast triage: identify likely benign vs suspicious samples quickly.
  • Often sufficient to discover indicators (C2 URLs, hardcoded credentials, suspicious imports).
  • Supports correlation with threat intel via hashes, strings, YARA matches.

Limitations

  • Cannot observe runtime behavior (network activity, unpacking, dynamic imports).
  • Obfuscated/packed code can hide behavior; static clues may be limited.
  • Decompiled output can be partial/inaccurate — higher expertise needed to interpret low-level code.
  • False negatives: absence of suspicious static indicators doesn’t mean the sample is harmless.

Best practices

  • Work on isolated analysis systems (air-gapped or VMs with no sensitive data).
  • Preserve original sample and record hashes and metadata.
  • Combine static with dynamic analysis for fuller picture.
  • Use trusted intelligence sources and YARA/indicator matching.
  • Document everything and escalate when you see high-risk indicators.

When to use it

  • First-line triage of unknown files.
  • Quick identification of obvious indicators (URLs, IPs, suspicious APIs).
  • When execution is too risky or resources for dynamic analysis are limited.

Posted

in

, ,

by

kb001

Tags: