On This Page

OS X Malware Analysis Crash Course

FLARE Team of Mandiant, A FireEye Company | July 22-23 & July 24-25


Most malware analysts and incident responders aren't able to dissect OS X malware. And with the usage of Apple Macintosh computers growing across the enterprise they need to be prepared to deal with current and future threats. With that corporate increase comes an increase in attacks. Will you be prepared to analyze malware and threats targeted for OS X when they come your way?

This Crash Course rapidly introduces the tools and methodologies necessary to get you analyzing malware that targets the OS X platform. We use a practical, hands-on approach to quickly adapt your current malware analysis skills for OS X.

During the course, you will learn everything you need to know about OS X for success with analyzing malware. You will become skilled with OS X specific static and dynamic analysis tools and techniques to quickly tease out host and network-based indictors. After learning the basics, students will learn how to analyze compiled Objective-C code and Cocoa applications using IDA Pro. Students will learn how to use the lldb debugger to aid in dynamic analysis. This course is filled with demonstrations and hands-on labs with real malware where the students immediately practice what they have been taught.

Modules Included:

  • Introduction to OS X – learn OS X internals relevant to malware analysis.
  • Safe Environment – learn how to create a safe malware analysis environment in OS X.
  • Basic Static Analysis – tools and methodologies used to perform basic analysis and extract host and network-based indicators from malware without running it.
  • Basic Dynamic Analysis – tools and methodologies used to analyze malware behavior by executing it in a safe environment.
  • Advanced Static Analysis – learn disassembly techniques specific to Objective-C executables.
  • Advanced Dynamic Analysis – learn malware debugging in the OS X environment and how it can be used to monitor and change its behavior at run time.

Who Should Take this Course

Malware analysts, incident responders, Intel analysts, information security staff, forensic investigators, or others requiring an understanding of how OS X specific malware works and the steps and processes involved in performing malware analysis of OS X specific threats.

Student Requirements

Training or experience in Windows malware analysis, familiarity with object-oriented programming, the x86 architecture, IDA Pro, and Unix-like operating systems is required. This class is built assuming the student is comfortable with these topics, which are used heavily throughout the course; it does not teach things like object-oriented programming basics, the x86 architecture and reverse engineering basics, the Unix shell, IDA Pro, or basic malware topics.

What Students Should Bring

Students must bring their own MacBook with VMware Fusion 7+ installed. Laptops should have at least 30GB of free space.

A currently licensed copy of a fully-updated IDA Pro that supports the x86_64 architecture is required. It can be for any OS, as long as it is accessible on the MacBook.

What Students Will Be Provided With

  • A student manual
  • Class handouts
  • FireEye/Mandiant gear


Tom Bennett is a seasoned malware analyst with over 10 years of experience in malware analysis, working to improve technologies used to detect threats on the network and host levels. Mr. Bennett is currently employed as a Staff Reverse Engineer with FireEye, analyzing malware used in targeted attacks to aid in incident response and threat intelligence gathering.

Tyler Dean is a reverse engineer on FireEye's FLARE team. He enjoys analyzing obfuscated malware samples, debugger scripting, and building tools for malware analysis. Prior to the FLARE team, Tyler worked for two U.S. government research labs performing forensics and malware reverse engineering. Tyler received a master's degree from Carnegie Mellon University in Information Security.

William Ballenthin is a reverse engineer on FireEye's FLARE team. He enjoys researching novel investigative techniques for incident responders. Recently, William has researched function similarity metrics, implemented file system drivers, and reverse engineered Android malware. Prior to seven years at Mandiant & FireEye, he graduated from Columbia University with a degree in Computer Science.