Now that we have the fundamentals in place, it is important to understand that malware forensics is different from malware analysis. Malware analysis involves capturing a sample of the malware and performing a static or dynamic analysis on it. Here, the compiled and obfuscated code is reversed in order to try and determine what the malware was programmed to do.

Malware forensics, on other hand, attempts to locate and examine the forensic artifacts that exist on system media, RAM, and network to help answer whether the system was compromised, how was it done, what was the infection vector, which particular malware was involved, what data is exfiltrated, and so on.

In the previous section, we looked at the IOC and how they help in identifying whether a system or network has been compromised. While this helps in cases where the compromise has been caused by known malware; for zero day or yet unknown malware or its variants, a malware forensic investigation needs to...