Orion Incident Response Live CD
The skill level of malware analysts varies widely. Orion tries to accommodate highly skilled analysts while creating some quick and dirty tools and methods for performing triage. If the analyst is junior, we recommend the analyze-win-malware script mentioned below be used for a quick initial analysis followed by submission to one of the automated online analysis tools, such as the stellar CW Sandbox. Experienced team members will then want to use one or more of the installed debugging and unpacking tools discussed below to perform manual analysis.
10.1. Static Analysis
Orion includes a number of static malware analysis tools. Some of these tools run within WINE to allow the work in an environment that is mostly native to the Orion installation. This figure shows McAfee FileInsight running under WINE to analyze a malicious binary. FileInsight is a great platform for analysis because it has a python-based plugin framework. For example, it includes a plugin for submission of samples to VirusTotal for analysis. Didier Stevens has also written some FileInsight plugins (included in Orion). Future versions of Orion will also have some additional custom plugins that are currently in development.