 Welcome to Melvier Analysis for Hedgehogs. Today I want to show you or give you a review for this book here Melvier Analysis and Detection Engineering A Comprehensive Approach to Detect and Analyze Modern Melvier. Now this book is from 2020 so it's fairly new and we had three junior analysts starting this year at work and all of them said it's a good book so I thought I want to check this out and well that is my opinion on it. So let's start with the things I liked about the book. Firstly this is a pretty comprehensive book like there's a lot of topics covered that others don't cover especially Melvier Family Identification, Melvier Detection Engineering so writing signatures for detecting Melvier which are very common tasks for Melvier Analysts but still when it comes to books that describe how to start Melvier Analysts mostly they only concentrate on the reverse engineering part and not on these quite specific tasks that are very common and necessary to know so this is something I really appreciate here. Furthermore the book is very good at explaining things in an easy way so they are easy to understand even if it's a difficult topic. They do not shy away from the topic root kits for instance which usually require a lot of knowledge about Windows Internets to understand. Now I have this knowledge I'm not sure how hard it is to understand those but I think from my perspective that it's still the easiest way to explain it so to go into that kind of detail that that is like the easiest way so I also like the for instance the exploit kit flow of the process injection descriptions that's really good most of the time these are topics that are just glanced over and not where no one goes into detail but actually the especially the process injection stuff is something that you need and I think that it's a good choice to go into detail of the techniques that exist so they also try to predict what are common questions of beginners and generally the style is like you need to imagine this like someone is sitting in front of you a colleague for instance and just trying on top of the head to explain to you how it works with easy language and that would be also the biggest drawback actually. Like I said you can imagine the style as a friend sitting at a bar trying to explain to you how my analysis works and the same is also true when it comes to accuracy or in definitions of those terms and to consistency. Now imagine this friend is trying to explain to you what packers are and how they work. Now they will say yeah the packer that's the decryption stuff the part of the pack program that will decrypt the payload. Ten minutes later he will say yeah the packer that's a program that compresses other programs and then you might already get a little bit confused because ten minutes earlier he said something different and then he says yeah yeah packer is actually a program that takes a PE file and outputs another PE file that is then different so and that way it goes on and on so you have first you have inconsistencies which might just stem from the fact that there are two different authors who have written the book but this should have been noticed in the review process and this is really not good yeah and the other is individual sentences they are not true in the way they are written there they are just examples of what packers do like packer when you say packer is a program that compresses other programs it is wrong there are packers that compress other programs that would be true and the same is with the PE file example like packers take a PE file and then output another PE file well some packers do some packers don't none of those are actual explanations of what a packer is so that is really a bummer because this makes this can make learning a bit confusing if you take those definitions seriously then you just get confused later on that there is a different explanation of that or that things do not add up second second disadvantage I want to mention but that is one that a lot of books don't do well so this is not not just this one they have a chapter on setting up your analysis lab but this is not enough to stay safe with analysis while they explain to you yeah you need to isolate your network they do not really say how to practically do this when you are trying to build your maver lab at home and if it's at a company you usually don't need to know that because other people will do that for you if you get and work in a maver analysis company they will tell you hey this is the network to use for maver analysis so and there's no work for you to set this up so yeah so generally they explain the dangers of worm worm infections that can happen through the network but they do not explain how to avoid infection from transporting your sample from the host to the VM and avoid infections of shared folders and connected devices so this is just not part of the topic and at the same time they will provide exercises where you handle deal with ransomware so if you are naive like if you if you start out as a beginner then naive in that sense that you just don't know how how to properly secure everything you might just set up your maver lab VM like it's described in the book and later on oh yeah there's the ransomware there's scancrab that you need to where you need to identify the family and you will execute this on your analysis lab and then oh my backup HD my my backup disk is now encrypted because it was connected with USB to the VM so this is not so good another thing that I would rather call a missed opportunity by the authors is to make to use more current tools and operating systems in their book so for instance the maver lab that they set up is Windows 7 and 32-bit only like I mean why a lot of malware nowadays is 64-bit why why do you limit the lab to this setup I think it might have to do with the root kids samples that are used later because root kids are usually heavily dependent on the operating system version but still like 32-bit only it recommends Oli debug and PID those tools are outdated now I would not include them into any of the modern analysis books so in that regard this book does not have an advantage over older books which use the same tools so if you consider buying let's say practical a maver analysis by Honig and Tchaikovsky versus this one I think in regard there's no advantage that this book here is more current it's not some general remarks about the book now this is a pretty heavy book so it's not not the best book for traveling but then of course they pack a lot of information in there as there are a lot of topics that other books do not cover and a lot of details so this is generally it's neither bad nor good thing depends what you want but if you compare this to books of similar size let's compare this is Windows and terrors part one that has like the 780 pages and this ours has 900 pages so it took me three weeks to read this maver analysis and detection engineering I did not do any of the exercises so and it took me several months more than a year actually to read this one the reason is that the text in this book the font is rather big there are a lot of screenshots a lot of images which is very good for comprehension for easy understanding but still it's less text than you might expect from that the titles are relatively big too and also something that you will see a lot is that half half of the page is just empty because they wanted to place the screenshot at a certain location in the text so this happens quite often and means that you have actually less text than you might get from other books of that size furthermore there is no real isolation of theoretical information and practical stuff so this is a decision that the authors made they said if you just put all of the exercises at the end of a chapter no one will do them which is probably true but it also means depending on how you read books and how you work through books this can be a disadvantage or an advantage so I personally do not like to read while the computer is right in front of me and I get distracted by stuff on the computer but with this book if you want to actually work through this you would rather have to sit in front of your computer while reading it so you can do this stuff that they tell you it's not really separated if you do not like to do practical stuff at all then you can read it it will show you the outputs of the programs and it's not recommended though if you really want to learn something do this stuff that is written there so do it and you won't won't remember them otherwise so yeah I mean a different example to that would be practical my analysis by Honig and Sikorsky they have exercises at the end of the chapter if I remember that correctly it's separate from the theoretical stuff and that would be more like okay when I have time to sit at my computer I can do these exercises and find them immediately and when I want to read I just read so yeah depends on your style and how you want to work so to sum this up would I recommend this book I would say that depends on what you want to do with it and what kind of learning type you are if you prefer books that are more casual in their style and if you don't need exact definitions that's perfectly fine or if you have additional books that you use for those definitions then this is perfectly fine if you need some resources for a let's say thesis special a thesis master thesis topic or project where you want to cite definitions do not use this book this will just get you in trouble because they don't have proper definitions so in general I would say yeah this is some very keep in mind this has also some very distinct advantages which is certain topics that are covered that you do not find in other books right now to my knowledge like the detection engineering part and the mother family identification part so this is a good reason to buy this one so and yeah let me know what you think of this book or if I if you like those kind of book reviews let me know if you want a review of a different book so you can make suggestions below and let's see you next time