Lab notebook
In-depth analyses of malware samples, technique deep-dives, and lab notes from the field. Long-form, technical, no fluff.
148 articles across all categories — page 5 of 17
Fundamental or applied? Qualitative or quantitative? Experimental or merely observational? Most studies sit on all three scales at once -- and confusing observational data with an experiment is one of the most common mistakes in security research.
Three approaches dominate this field -- empirical, theoretical, and applied engineering. Marcus Hutchins' discovery of the WannaCry kill switch shows what applied research looks like when it happens in real time, with the world watching.
Seven stages, four standing criteria, and why the WannaCry attribution to North Korea was not accepted the day the first report came out -- it took several independent labs reaching the same conclusion before anyone called it settled.
"IoT security" is a topic. It is not a research problem. The Mirai botnet shows what reframing a question actually looks like -- and how splitting a big question into two or three sub-problems turns a news story into something you can actually answer.
A study with no stated boundary is one whose claims cannot be checked by anybody -- including the person who ran it. Scope and limitations are how research states, honestly, what it does and does not prove.
Chain of custody documents the complete history of evidence — who collected it, how it was stored, and who had access. In cloud forensics, where evidence is API-sourced and inherently mutable, maintaining an unbroken chain requires specific technical and procedural controls.
Cloud-scale forensics requires tools capable of querying billions of log events in minutes. Amazon Athena, Splunk, and OpenSearch each provide this capability with different trade-offs. This article covers practical query patterns for forensic investigation.
Volatile data — running processes, network connections, memory contents, and instance metadata — disappears when an EC2 instance is terminated. Cloud forensics must capture this evidence before auto-scaling or incident remediation destroys it.
Cloud infrastructure is both a target for malware and an ideal platform for malware analysis. This article covers cloud-hosted malware sandbox architectures, static and dynamic analysis of cloud-delivered malware, and detecting malware in container images and Lambda packages.