Summary

In the first chapter, we learned about reverse engineering and its importance when analyzing malware. To begin with our reverse engineering adventures, we have to learn the system we are analyzing. We discussed the three main areas in the Windows operating system environment: memory, disk, and the registry.  In this chapter, we aimed to find malware from a compromised Windows system by extracting suspected files. To do that, we listed common startup areas in the system that we can search into. These areas include the registry, task schedules, and startup folder.  

We learned that typical malware behaves by installing itself and runnng code that harms the system. Malware installs itself basically for persistence which results in the malware file triggering most of the time the system is online. We then listed a few behaviors as to why malware was called malicious. This malicious code consisted of anything to do with crime entailing monetary or political gain, such as ransom and backdoor access.

We ended this chapter by listing tools we can use to easily identify the suspected files. We first introduced pre-existing Windows tools such as the Registry editor, Task Manager and the Task Scheduler. We followed these with two more tools from SysInternals: autoruns and Process explorer.  With these tools at hand, we should be able to list down our suspected files. However, as with any other tasks, we will be able to master identification faster with practice and experience.