NIST 800-53 REV 5 • INCIDENT RESPONSE

IR-4(12)Malicious Code and Forensic Analysis

Analyze malicious code and/or other residual artifacts remaining in the system after the incident.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

When conducted carefully in an isolated environment, analysis of malicious code and other residual artifacts of a security incident or breach can give the organization insight into adversary tactics, techniques, and procedures. It can also indicate the identity or some defining characteristics of the adversary. In addition, malicious code analysis can help the organization develop responses to future incidents.

Practitioner Notes

After an incident is contained, you need to analyze any malicious code or artifacts left behind. This helps you understand what happened, confirm eradication is complete, and improve your defenses.

Example 1: Submit suspicious files to a malware sandbox like Any.Run, Joe Sandbox, or VirusTotal for automated analysis. Review the behavioral report to understand what the malware does — does it establish persistence, phone home to a C2 server, or exfiltrate data?

Example 2: Use tools like Volatility for memory forensics or Autopsy/FTK for disk forensics to examine compromised systems. Look for indicators of compromise (IOCs) like registry modifications, scheduled tasks, or rogue services. Feed discovered IOCs back into your SIEM detection rules.

More Incident Response Controls

IR-1 Policy and Procedures IR-2 Incident Response Training IR-2(1) Simulated Events IR-2(2) Automated Training Environments