Skip to main content
Synced from an Obsidian vault

For graph and advanced features, download the full Intel Codex Vault and open it in Obsidian.

Security Analysis SOPs

This directory contains Standard Operating Procedures (SOPs) for security analysis, reverse engineering, cryptographic analysis, smart-contract audit, cloud forensics, SaaS log forensics, and email & BEC forensics.

Available Analysis SOPs

Purpose

These SOPs provide standardized procedures for:

  • Analyzing malicious software and binaries
  • Reverse engineering applications and protocols
  • Evaluating cryptographic implementations
  • Generating and verifying file hashes for integrity
  • Conducting digital forensics investigations and evidence preservation
  • Auditing smart contracts (vulnerability classes, tooling, formal verification, audit-report structure)
  • Conducting cloud forensics across IaaS control planes (AWS / Azure / GCP), IAM, container runtimes, and cloud volumes
  • Conducting SaaS log forensics across M365 (UAL + Purview), Google Workspace (Reports + Vault), Okta (System Log + ITP), Slack (Audit + Discovery), Salesforce (Setup Audit Trail + Real-Time Event Monitoring), GitHub / GitLab audit, OAuth consent-grant abuse, and cross-tenant collaboration patterns
  • Reconstructing email-vector incidents and Business Email Compromise: header forensics (Received-chain, Authentication-Results), SPF / DKIM / DMARC / ARC evaluation, lookalike-domain and brand-impersonation detection, Microsoft 365 / Workspace message tracing, secure-email-gateway forensics (Mimecast / Proofpoint / Barracuda), phishing-kit defensive analysis (kit acquisition, AiTM detection), wire-recall pathway and Financial Fraud Kill Chain coordination, and BEC scenario taxonomy (CEO fraud, vendor-invoice, payroll-redirect, attorney-impersonation, real-estate / closing-funds, gift-card, cryptocurrency-payout variants)

Common Workflows

Malware Analysis

  1. Malware Analysis - Full analysis workflow
  2. Reverse Engineering - For deeper code analysis
  3. Hash Generation - For sample identification

Binary Analysis

  1. Reverse Engineering - Disassembly and decompilation
  2. Cryptography Analysis - For crypto routines
  3. Hash Generation - For file verification

Incident Response & Forensics

  1. Digital Forensics Investigation - Evidence collection and preservation
  2. Malware Analysis - Analyze malicious artifacts
  3. Reverse Engineering - Deep dive on custom malware
  4. Hash Generation - Evidence integrity verification

Smart Contract Audit

  1. Smart Contract Audit - Audit lifecycle, threat modeling, vulnerability classes, tooling, formal verification, report structure
  2. Cryptography Analysis - For primitive-level review (curve choice, hash construction, ZK-circuit soundness)
  3. Reverse Engineering - For bytecode-only contracts requiring decompilation
  4. Blockchain Investigation - For post-exploit fund tracing once findings move on-chain

Cloud Forensics

  1. Cloud Forensics - IaaS-plane forensics: control-plane log collection, IAM principal-action reconstruction, region-sweep, log-tampering detection, container & k8s runtime artifacts, snapshot preservation, cross-cloud correlation
  2. Digital Forensics Investigation - Parent template; host / disk / memory parsing of snapshot-derived volumes
  3. Hash Generation Methods - Evidence integrity for log exports and snapshot copies
  4. Malware Analysis - For cloud-resident payloads (S3 / Storage / GCS objects, Lambda / Function code, container images)
  5. Cloud Pentesting - Offensive counterpart; the threat model that defensive cloud forensics answers

SaaS Log Forensics

  1. SaaS Log Forensics - SaaS-tenant identity and collaboration plane: M365 UAL + Purview eDiscovery, Workspace Reports API + Vault, Okta System Log + ITP, Slack Audit + Discovery, Salesforce Setup Audit Trail + Real-Time Event Monitoring, GitHub / GitLab audit, OAuth consent-grant abuse, cross-tenant collaboration, retention-cliff and discovery-export discipline
  2. Cloud Forensics - Sibling SOP; IaaS-plane forensics for hybrid incidents that bridge identity events to cloud-resource actions
  3. Digital Forensics Investigation - Parent template; host / disk / memory parsing for exported PST / Workspace Takeout / Slack export / GitHub repo clone artifacts
  4. Collection Log - Chain-of-custody discipline for every audit-log export, eDiscovery package, Vault export, and discovery archive
  5. Malware Analysis - For SaaS-resident payloads (binaries in OneDrive / SharePoint / Drive / Slack / Salesforce Files; OAuth-app code; CI/CD malicious dependencies)

Email & BEC Forensics

  1. Email & BEC Forensics - Scenario-centric Business Email Compromise forensics: email header forensics (Received-chain reconstruction, Authentication-Results parsing), SPF / DKIM / DMARC / ARC mechanics, lookalike-domain and brand-impersonation detection (IDN homograph, typosquatting, dnstwist, CT-log monitoring), M365 Get-MessageTrace and Workspace Email Log Search, secure-email-gateway forensics (Mimecast / Proofpoint / Defender / Barracuda), phishing-kit defensive analysis (kit acquisition, AiTM detection — EvilGinx / Modlishka / Muraena), wire-recall pathway (SWIFT MT103 / Fedwire / SEPA / FedNow recall mechanics, Financial Fraud Kill Chain, FBI IC3 reporting, FinCEN SAR triggers, beneficiary-bank coordination), BEC scenario taxonomy (CEO fraud, vendor-invoice fraud, payroll-redirect, attorney-impersonation, real-estate / closing-funds, gift-card, cryptocurrency-payout variants)
  2. SaaS Log Forensics - Sibling SOP; the OAuth-consent BEC variant lives in #8 per the buildout-plan scope contract — this SOP references the carve-in but does not duplicate it; mailbox-side compromise reconstruction (inbox-rule, mailbox-audit, OAuth token persistence) routes there
  3. Cloud Forensics - Sibling SOP; when BEC-stolen credentials enable cloud-resource action, the email side stays in #9 and the cloud-resource action routes here
  4. Malware Analysis - Parent template; receives hand-off for attachment static / dynamic analysis (Office macro, PDF, ISO, HTA, LNK, OneNote payload, archive) per its §3 / §4 / §6, and for deep RE of recovered phishing kits per §6.4 Script Analysis
  5. Digital Forensics Investigation - Parent template; host / disk / memory parsing of derived artifacts (PST exports, recovered phishing-kit operator endpoints, victim laptops)
  6. Collection Log - Chain-of-custody discipline for every .eml capture, header dump, gateway-log export, and recovered-kit archive
  7. Financial & AML OSINT - Banking-pivot intelligence layer (SAR-typology, UBO investigation, structuring patterns); #9 owns wire-recall operations, AML intelligence layer routes here
  8. Blockchain Investigation - On-chain trace once cryptocurrency-payout BEC funds are deposited