This repository contains a complete, expert-curated curriculum for Malware Forensics, specifically mapped to the B.Tech KTU Syllabus (CCT352). It is designed to bridge the gap between theoretical malware concepts and hands-on forensic investigation.
Whether you are a student preparing for university examinations or a security enthusiast, this repo provides:
- Module-wise Study Guides (Modules 1-5).
- A Professional Lab Setup Guide for safe malware detonation.
- Detailed Tool Documentation with installation and usage instructions.
- A 100-Question Bank categorized by mark weightage for exam readiness.
The content is structured into five core pillars of Malware Forensics:
- Module 1: Introduction – Malware types (Rootkits, Trojans, Logic Bombs), evolution, and static vs. dynamic analysis fundamentals.
- Module 2: Malware Analysis – System call monitoring, API hooking, Anti-VM techniques, and assembly-level debugging.
- Module 3: Malware Detection – Signature-based (Polymorphic/Metamorphic) vs. Non-signature (Machine Learning, Fuzzy Hashing).
- Module 4: Incident Response – Live response methodology, the Order of Volatility (OOV), and volatile data collection on Windows/Linux.
- Module 5: OS Forensics – Post-mortem analysis, registry forensics, timeline reconstruction, and malware extraction from dead systems.
This repository covers the most critical tools used in modern digital forensics. Below are the resources discussed and where to download them safely:
- PEStudio: Download - Static triage and indicator analysis.
- Process Monitor (ProcMon): Download - Real-time registry and file system monitoring.
- Wireshark: Download - Network packet sniffing and C2 traffic analysis.
- x64dbg / OllyDbg: Download x64dbg - Assembly-level debugging and patching.
- Volatility Framework: Download - Advanced memory forensics and artifact extraction.
- FTK Imager Lite: Download - Physical/Logical imaging and RAM capture.
- Registry Explorer: Download - Offline registry hive analysis.
- LiME (Linux): GitHub Repo - Linux Memory Extractor for volatile data.
Review the Forensic_Lab_Setup_and_Strategy.md file. It explains how to create a "Host-Only" virtual environment to prevent malware from escaping your VM.
Follow the module guides in sequence. Each guide includes "Professor's Predicted Questions" to highlight exam-critical topics.
Use the Malware_Forensics_Tool_Documentation.md to install tools on your analysis VM and follow the step-by-step detonation logic.
Test your knowledge using the Malware_Forensics_100_Question_Bank.md. It covers everything from 1-mark definitions to 10-mark scenario-based architectural designs.
Malware Forensics Study Guide KTU Malware Forensics CCT352 Digital Forensics Lab Setup Volatility Memory Forensics Guide Windows Registry Forensics Incident Response Volatile Data Collection Malware Analysis B.Tech Notes Reverse Engineering Tools Guide
Disclaimer: The malware analysis techniques described here should ONLY be performed in a secure, isolated virtual environment. Never execute malware on a production system.