Merge pull request #456 from TalebQasem/patch-5

Update malware-analysis.md

forensics/basic-forensic-methodology/malware-analysis.md

@@ -53,12 +53,12 @@ python malware_yara_rules.py
 
 ```bash
 yara -w malware_rules.yar image  #Scan 1 file
-yara -w malware_rules.yar folder #Scan hole fodler
+yara -w malware_rules.yar folder #Scan the whole folder
 ```
 
 ### YaraGen: Check for malware and Create rules
 
-You can use the tool [**YaraGen**](https://github.com/Neo23x0/yarGen) to generate yara rules from a binary. Checkout these tutorials: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
+You can use the tool [**YaraGen**](https://github.com/Neo23x0/yarGen) to generate yara rules from a binary. Check out these tutorials: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
 
 ```bash
  python3 yarGen.py --update
@@ -78,13 +78,13 @@ sudo apt-get install -y clamav
 ```bash
 sudo freshclam      #Update rules
 clamscan filepath   #Scan 1 file
-clamscan folderpath #Scan the hole folder
+clamscan folderpath #Scan the whole folder
 ```
 
 ## IOCs
 
-IOC means Indicator Of Compromise. An IOC is a set of **conditions that identifies** some potentially unwanted software or a confirmed **malware**. Blue Teams use this kind of definitions to **search for this kind of malicious files** in their **systems** and **networks**.\
-To share these definitions is very useful as when a malware is identified in a computer and an IOC for that malware is created, other Blue Teams can use it to identify the malware faster.
+IOC means Indicator Of Compromise. An IOC is a set of **conditions that identify** some potentially unwanted software or confirmed **malware**. Blue Teams use this kind of definition to **search for this kind of malicious files** in their **systems** and **networks**.\
+To share these definitions is very useful as when malware is identified in a computer and an IOC for that malware is created, other Blue Teams can use it to identify the malware faster.
 
 A tool to create or modify IOCs is [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
 You can use tools such as [**Redline**](https://www.fireeye.com/services/freeware/redline.html) to **search for defined IOCs in a device**.
@@ -99,7 +99,7 @@ Detection is based on four detection methods:
    Regex match on full file path/name
 
 2. Yara Rule Check
-   Yara signature match on file data and process memory
+   Yara signature matches on file data and process memory
 
 3. Hash Check
    Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
@@ -110,7 +110,7 @@ Detection is based on four detection methods:
 
 ## Linux Malware Detect
 
-[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources.
+[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and malware community resources.
 
 ## rkhunter
 
@@ -151,15 +151,15 @@ spctl --assess --verbose /Applications/Safari.app
 
 ## File Stacking
 
-If you know that some folder containing the **files** of a web server was **last updated in some date**. **Check** the **date** all the **files** in the **web server were created and modified** and if any date is **suspicious**, check that file.
+If you know that some folder containing the **files** of a web server was **last updated on some date**. **Check** the **date** all the **files** in the **web server were created and modified** and if any date is **suspicious**, check that file.
 
 ## Baselines
 
-If the files of a folder s**houldn't have been modified**, you can calculate the **hash** of the **original files** of the folder and **compare** them with the **current** ones. Anything modified will be **suspicious**.
+If the files of a folder **shouldn't have been modified**, you can calculate the **hash** of the **original files** of the folder and **compare** them with the **current** ones. Anything modified will be **suspicious**.
 
 ## Statistical Analysis
 
-When the information is saved in logs you can **check statistics like how many times each file of a web server was accessed as a webshell might be one of the most**.
+When the information is saved in logs you can **check statistics like how many times each file of a web server was accessed as a web shell might be one of the most**.
 
 
 <details>