this chapter introduces windows-based file profilling analysis through an incident response scenario. Druing the course of responding to or investigating an incident encountered on a system within a targeted network, or clearly linked to receipt by a network user via email, instant messaging, or other means of online communication or file transfer,a suspicious file may be fairly characterized as: of unknown origin, unfamiliar,or seemingly familiar,but located in an unusual place on the system.After extracting the suspicious file from the system,determining its purpose and functionality is often a good stasting place.This process is called file profiling. The file profiling process entails an initial or cursory static analysis of the suspect code.Static analysis is the process of analyzing executable binary code without actually executing the file.Dynamic or behavioral analysis involves executing the code and monitoring its behavior , including its interaction and effect on the host system These are the two approaches to code analysis that most digital investigators implement.