Malware Investigation Template

Because .idb files should be version controlled.

Warning

Large binary files like pcap files don’t belong in git. The repository will slow down once it reaches a few gigabytes. To avoid pushing pcap files by mistake the pcaps/ directory is ignored in .gitignore.

Starting an investigation

1. Fork this repository using github or via command-line (specify investigation name):

   git clone https://github.com/GoSecure/malware_investigation_template.git Win32.Bad.A
   cd Win32.Bad.A

2. Configure where the pcaps will be rsync’ed

   echo 'PCAP_DST=<rsync path spec>' > .config.sh

3. Get rid of original .git metadata and initialize new git tree

   rm -r .git/
   git init

Voilà!

Note	Forks of public repositories can’t be made private on github. It is advised to use the command-line and push to a private repo if you plan on hosting your analysis on github.

Usage

Pcaps

A helper script has been provided to sync pcap files. Simply use push command to send files and pull to receive the files.

For example:

$ src/helpers/pcaps.sh push

Integration with malboxes

Coming soon…​

License

I don’t think this is copyright’able because it is just a bunch of directory names, some documentation and a small script but just in case, here we go:

Under CC0 license: https://creativecommons.org/publicdomain/zero/1.0/
To the extent possible under law, GoSecure Inc. has waived all copyright and
related or neighboring rights to this repository's content.

Contribute

Contributions to this template are welcome!