You do not want to analyze malware on the device where all our personal files and data are stored. For this reason, we need isolated devices for malware analysis.
You can install a virtual operating system inside your own device using virtualization softwares. In this way, you can create your isolated system without the need to purchase a physical device.
There are several virtualization environments that you can use for a fee or for free. The most popular of these are VMware Workstation by VMware and VirtualBox by Oracle company. Both virtualization softwares will meet your needs for analyzing malware.
There are some disadvantages of using the virtualization softwares.
We will use the VMware Workstation product in this tutorial. Some features may differ.
You should make the virtual operating system suitable for malware analysis, otherwise the malware can infect other devices in the same network.
In order to prevent the malware that we will analyze from infecting other devices on the network, we must change the network settings of the operating system we have installed from the virtualization software. We have to enter the "Network" settings from the settings section and select the "Custom" option here.
In order to prevent the malware we will run from spreading to other devices in the network, we must restrict the network access of our virtual operating system, so we should choose the "Custom" option.
We need to disable anti-virus software to prevent anti-virus software from interfering to our analysis by blocking or removing the malware we want to analyze.
Malware may be exploiting various vulnerabilities. During our dynamic analysis, we must prevent our virtual operating system from receiving security updates so that the malware can successfully exploit such vulnerabilities and continue to run. For this reason, we must disable the automatic update option of our operating system.
By default, known file extensions are hidden in the Windows operating system. We need to disable this feature in order to see the exact name of the file we want to analyze.
Hidden files are not displayed by default in the Windows operating system. Malware makes it difficult to detect by taking advantage of this feature. In order to see what is happening in the file system exactly, we need to disable this feature.
When we run malicious software, it makes various changes on the system. If you do not revert the operating system to its original state, you may confuse it with the malware you used to run while analyzing a new malware.
It will be very difficult to install a new virtual operating system every time we want to analyze malware. The Snapshot feature of virtualization software makes our job very easy.
When you take a snapshot of your virtual device through the virtualization environment, it saves the current state of the device. You will then return to this snapshot and restore the device.
After installing the necessary tools for malware analysis, you can take a snapshot and return to this snapshot after the analyzing malware and return original state of the operating system.