Ransomware, Malware, and Intrusions: A Step-by-Step Analysis Methodology
- Sep 15
- 3 min read
When I look back at all the articles, guides, and tool walkthroughs I’ve written, one question keeps coming up:
“Where do we actually start?”
It’s true—I’ve shown you dozens of tools, ways to parse artifacts, and countless steps for analysis. But an investigator or IR professional still needs a structured process. That’s why I decided to create this methodology.
Think of it as a roadmap. Every investigation is different—you may skip some steps or add a few more depending on the case—but this gives you a clear starting point and flow to follow. Along the way, I’ll point to my detailed articles so you can dive deeper into each stage.
-------------------------------------------------------------------------------------------------------------
1. Mount Disk Image and Scan with Multiple AV Products
This is the “low hanging fruit.” Always start simple.
Mount your image with Arsenal Image Mounter (my go-to).
Or collect the image in VHDX format using KAPE (which I always do).
FTK Imager is another solid option.
📌 Guides:
KAPE Series: https://www.cyberengage.org/courses-1/kape-unleashed%3A-harnessing-power-in-incident-response
FTK Imager Quick Guide (PDF available under Resume → Quick Guides): https://www.cyberengage.org
-------------------------------------------------------------------------------------------------------------
2. Generate a Super Timeline
You need context around suspicious events. A super timeline shows you what happened before, during, and after.
Use log2timeline/Plaso (my personal choice).
Or Magnet AXIOM (great commercial option).
📌 Guides:
Log2timeline article: https://www.cyberengage.org/courses-1/decoding-timeline-analysis-in-digital-forensics
-------------------------------------------------------------------------------------------------------------
3. Memory Analysis
Memory tells the real-time story of execution. Focus on:
Running processes and DLLs → dump and scan with AV
Network connections
Rogue or hidden processes
Command history
Malfind for injected code
📌 Guides:
Memory Forensics Series: https://www.cyberengage.org/courses-1/mastering-memory-forensics%3A-in-depth-analysis-with-volatility-and-advanced-tools
Recommended reads:
Step-by-Step Guide to Uncovering Threats with Volatility
MemProcFS/MemProcFS Analyzer: Comprehensive Analysis Guide
-------------------------------------------------------------------------------------------------------------
4. Process the Event Logs
Events give timeline + context. Look for:
Remote logins (Security, TerminalServices-LocalSessionManager%Operational)
Service installs (System Event ID 7045)
Type 3 logons around ransomware execution or PsExec installs
Group policy changes
AV being disabled/uninstalled
Lateral movement
Malicious PowerShell activity
User account creation
Event log clearing
📌 Guides:
-------------------------------------------------------------------------------------------------------------
5. File System and MFT
Check:
Suspicious file creations (batch scripts, malware samples, attacker directories)
When encryption started (for ransomware)
Suspicious compressed files → possible exfiltration
📌 Guides:
MFT parsing with MFTECmd: https://www.cyberengage.org/post/mftecmd-mftexplorer-a-forensic-analyst-s-guide
NTFS Journaling series: https://www.cyberengage.org/courses-1/ntfs-journaling
-------------------------------------------------------------------------------------------------------------
6. Malicious File Executions
Key artifacts:
Amcache
ShimCache
Prefetch
UserAssist (NTUSER.DAT)
📌 Guides:
Windows Forensic Artifacts: https://www.cyberengage.org/courses-1/windows-forensic-artifacts
-------------------------------------------------------------------------------------------------------------
7. Persistence Mechanisms
Always check:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce
NTUSER.DAT Run keys
C:\Windows\System32\Tasks
WMI Activity Operational.evtx
📌 Guides:
Registry Forensic Series : https://www.cyberengage.org/courses-1/mastering-windows-registry-forensics%3A
-------------------------------------------------------------------------------------------------------------
8. USN Journal
One of my favorite artifacts—great for file creations & deletions.
📌 Guide:
USN Journal parsing with MFTECmd: https://www.cyberengage.org/post/ntfs-journaling-in-digital-forensics-logfile-usnjrnl-parsing-of-j-logfile-using-mftecmd-ex
-------------------------------------------------------------------------------------------------------------
9. Link Files
See what files were accessed by a compromised account.
📌 Guide:
-------------------------------------------------------------------------------------------------------------
10. Shellbags
Shows which folders were accessed.
📌 Guide:
-------------------------------------------------------------------------------------------------------------
11. Log Analysis
Go beyond Windows:
Firewall/VPN logs
IIS logs
IDS/IPS logs
DNS logs
SIEM-correlated logs
📌 Guide:
Network Forensics: https://www.cyberengage.org/courses-1/network-forensic
-------------------------------------------------------------------------------------------------------------
12. Lateral Movement and Exfiltration
Check:
NTUSER.DAT → Terminal Server Client
WinSCP.ini (shows remote connections & staging folders)
OpenSSH logs
Prefetch for sshd.exe
SRUM DB for large transfers
📌 Guide:
-------------------------------------------------------------------------------------------------------------
13. On-System Email Analysis
Look for phishing origins:
Original email
Suspicious attachments
Malicious documents
📌 Guide:
Identifying malicious software: https://www.cyberengage.org/post/identifying-malicious-software-a-guide-for-incident-responders
-------------------------------------------------------------------------------------------------------------
14. Internet History
Critical for phishing & exfil evidence.
📌 Guide:
Browser forensics series (open-source tools): https://www.cyberengage.org/courses-1/introducing%3A-browser-forensics-%E2%80%93-your-ultimate-guide-to-manual-analysis
-------------------------------------------------------------------------------------------------------------
15. Data Carving
Recover deleted or hidden items.
📌 Guide:
-------------------------------------------------------------------------------------------------------------
16. Index Searching
Search for IOCs in slack space & unallocated clusters.
📌 Guide:
Windows forensic artifacts (indexing section): https://www.cyberengage.org/courses-1/windows-forensic-artifacts
-------------------------------------------------------------------------------------------------------------
Modern Tools Worth Adding (2025)
Velociraptor – IR at scale, timeline generation, artifact parsing.
KAPE – rapid artifact collection.
Eric Zimmerman’s Tools (EZ Tools) – Amcache, Registry, Prefetch, etc.
Timesketch (Tmeline Explorer) – timeline review.
Volatility3 – modern memory analysis framework.
-------------------------------------------------------------------------------------------------------------
Final Thoughts
This methodology isn’t about rigid rules. It’s about giving you a process to start with. Each case is different—sometimes you’ll skip steps, sometimes you’ll go deeper in certain areas.
The key takeaway:
Start broad (AV scans, timelines)
Narrow down (memory, logs, persistence, artifacts)
Always document and correlate across multiple data sources
Use this roadmap, explore the linked guides, and adapt it to your investigations.
Stay sharp, and happy hunting!
Comments