irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add markdown wiki with 473 pages and zk browser

Browse Source 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tobias
2026-03-28 19:50:36 +01:00
parent b13db23a5e
commit e62a14dafc
478 changed files with 7683 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/generated/wiki/workflows/static-analysis-workflow.md
+84
View File
@@ -0,0 +1,84 @@
# Static Properties Analysis
> Systematic static examination of a suspicious file without executing it. Works for PE, ELF, .NET, scripts, and documents.
**FOR610 Labs:** 1.1, 2.1, 4.1
## Steps
### Step 1: File Identification & Hashing
**Tools:** [[tools/file|file]], [[tools/trid|trid]], [[tools/exiftool|exiftool]], [[tools/sha256sum|sha256sum]]
Determine file type using magic bytes. Compute hashes (MD5, SHA256) for lookup and documentation. Record file size and timestamps.
```bash
file specimen.exe
trid document.doc
exiftool document.pdf
```
### Step 2: Reputation Check
**Tools:** [[tools/malwoverview|malwoverview]], [[tools/virustotal-search|virustotal-search]]
Look up hash on VirusTotal/MalwareBazaar. If known malware, note family name and detection rate. If clean or unknown, continue analysis.
```bash
malwoverview -v <hash>
```
### Step 3: Packing & Entropy Check
**Tools:** [[tools/diec|diec]], [[tools/peframe|peframe]]
Check for packing indicators and high entropy sections. Look for: unusual section names, small import table, high entropy (>7.0). If packed, consider the Unpacking Workflow.
```bash
diec specimen.exe
peframe specimen.exe
```
### Step 4: String Extraction
**Tools:** [[tools/strings|strings]], [[tools/floss|floss]], [[tools/pestr|pestr]]
Extract readable strings. Use FLOSS for obfuscated/stack strings. Look for: URLs, IPs, domains, registry keys, file paths, error messages, API names.
```bash
strings binary.exe
floss specimen.exe
pestr specimen.exe
```
### Step 5: Capability Detection
**Tools:** [[tools/capa|capa]], [[tools/yara|yara]]
Identify capabilities mapped to MITRE ATT&CK. Scan with YARA rules for known malware families. Look for: persistence, C2, evasion, lateral movement capabilities.
```bash
capa specimen.exe
yara-rules specimen.bin
```
### Step 6: Import & Export Analysis
**Tools:** [[tools/peframe|peframe]], [[tools/capa|capa]]
Examine imported DLLs and functions. Map imports to behavior categories: networking (ws2_32), crypto (advapi32), process manipulation (kernel32). Check exports for DLL functionality.
```bash
peframe specimen.exe
capa specimen.exe
```
### Step 7: Disassembly (if needed)
**Tools:** [[tools/ghidra|ghidra]], [[tools/cutter|cutter]], [[tools/radare2|radare2]]
Load into disassembler for code-level analysis. Start at entry point, trace key functions. Use decompiler for C-like view.
```bash
ghidra
cutter specimen.exe
r2 specimen.exe
```
### Step 8: Document Findings
Record IOCs: hashes, IPs, domains, file paths, registry keys, mutexes. Classify: malware family, capabilities, confidence level. Decide: continue to behavioral analysis?
#static #triage #pe-analysis #elf-analysis #workflow