============================================================
  Behavioral Analysis
============================================================

  Monitor runtime behavior in an isolated environment. Applicable to any executable or script on Linux (REMnux) or Windows.

  Related FOR610 Labs: 1.2, 1.4, 1.6, 4.5

────────────────────────────────────────────────────────────

  Step 1: Environment Preparation
  Revert to clean snapshot. Disconnect from production
  network. Verify isolation (host-only networking). Set
  max execution time (2-5 minutes).

  Step 2: Network Interception Setup
  Tools: fakedns, inetsim, fakenet-ng
  Start fake DNS and service emulation so malware gets
  responses. On REMnux: fakedns for DNS, INetSim or
  FakeNet-NG for HTTP/HTTPS/SMTP/FTP.

    $ fakedns
    $ inetsim
    $ fakenet

  Step 3: Monitoring Setup
  Tools: wireshark, tcpdump, strace
  Start packet capture (wireshark or tcpdump). On Linux:
  strace/ltrace for syscalls. Start filesystem
  monitoring.

    $ wireshark
    $ tcpdump -i eth0 -w capture.pcap

  Step 4: Emulation (Safe Alternative)
  Tools: speakeasy, capa
  Before live execution, try emulation: speakeasy
  emulates Windows API calls on Linux safely. Use capa
  -vv for capability overview.

    $ speakeasy -t specimen.exe -o report.json 2> report.txt
    $ capa specimen.exe

  Step 5: Execute & Monitor
  Run the sample with a timeout. Monitor for: new
  processes spawned, files created/modified, network
  connections, DNS queries. Kill after 2-5 minutes.

  Step 6: Analyze Results
  Tools: wireshark, procdot
  Review network capture: follow TCP streams, extract
  payloads, identify C2 patterns. Analyze process
  activity logs. Map filesystem changes.

    $ wireshark
    $ procdot

  Step 7: Extract IOCs
  Document: contacted domains/IPs, created
  files/registry keys, spawned processes, persistence
  mechanisms. Classify behavior: downloader, backdoor,
  ransomware, etc.

────────────────────────────────────────────────────────────
  Tip: 'fhelp cheat <tool>' for full examples
       'Ctrl+G' for interactive cheatsheet browser
