RSS feed logo header graphic

Black Hat USA 2008 Training

Caesars Palace Las Vegas • August 2-3 & August 4-5

Malware Analysis: Crash Course


registration button

Course Description

Almost every Incident Response involves some Trojan, back door, virus component, or rootkit.  Incident Responders must be able to perform rapid analysis on the malware encountered in an effort to determine the purpose of unknown code.  This course provides a rapid introduction to the tools and methodologies used to perform dynamic and static analysis on portable executable programs found on Windows systems.  Students will learn to infer the functionality of a program by analyzing disassembly and by watching how it changes a system as it runs.  They will learn how to extract investigative leads from host and network-based indicators associated with a malicious program and how to identify specific coding constructs in disassembly.  They will be taught the art of dynamic analysis, and they will be taught about several Windows APIs most often used by malware authors.  Each section is filled with in class demonstrations, exercises where the students follow along with the instructor, and labs where the students practice what they have learned on their own. 

What You Will Learn:

  • How to create a safe malware analysis environment
  • Malware analysis shortcuts
  • Static Program Analysis Methodology
  • Dynamic Program Analysis Methodology
  • Methodologies-differences between static and dynamic analysis
  • Bits, bytes, binary, decimal, hexadecimal and converting values between the various numbering conventions
  • The fundamentals of assembly language programming
  • How to perform dynamic analysis using system monitoring utilities to capture the system, registry and network activity generated during malware analysis
  • Windows Internals and APIs
  • Debuggers

Who Should Attend the Class:

IInformation technology staff, information security staff, corporate investigators or others requiring an understanding of how malware works and the steps and processes involved in Malware Analysis.

What You Will Get:

  • Student Manual
  • Class handouts
  • MANDIANT gear
  • Free Tools CD with course tools and scripts


  • Excellent knowledge of computer and operating system fundamentals is required. Some exposure to software development is highly recommended.


Nick Harbour is a Senior Engineer with Mandiant and is a well-known innovator in the field of computer security with over seven years experience in computer forensics, network monitoring and software development. 

Prior to joining Mandiant, Nick spent two years as a government contractor engaged in technically challenging projects for a variety of government agencies.  He is knowledgeable in many fields of government efforts and has worked in the intelligence, counterintelligence, military and law enforcement communities.  During his former position within the Defense department, he wrote tcpxtract, a popular tool for extracting files from arbitrary network traffic. 

Mr. Harbour is a former Computer Forensics Examiner for the Department of Defense Computer Forensics Laboratory (DCFL) where he was primarily involved in research and development and highly classified special projects and operations.  During his prosperous four year career at the DCFL Mr. Harbour advanced the field of computer forensics by developing dcfldd, the popular imaging tool which revolutionized the way digital media is acquired, and fatback, a sophisticated file recovery tool and the only of its kind to run under the Linux/Unix environment.

Mr. Harbour is a RedHat Certified Engineer and is also a member of the Association of Computing Machinery and the MENSA organization.

registration button

Ends May 1

Ends July 1

Ends July 31

Begins August 1

$2000 USD

$2200 USD

$2400 USD

$2700 USD
1997-2009 Black Hat ™