Incident Response Tips

Linux Memory Forensics Part 2 - Detection Of Malicious Artifacts

In order to test some of our memory forensics capabilities, we have infected a Linux system with a rootkit that can be found here - https://github.com/f0rb1dd3n/Reptile

Further to the previous post, we will describe detection methods of malicious artifacts on Linux memory dump using the tool - Volatility.

Let's get started! 

Some networking:

python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_netstat

python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_netscan

Notice: The difference between plugins that have scan in their names and similar plugins (like netstat vs netscan) is that the scan option actually scans the memory for the structure of the data so it may found more data but it takes longer than going through the linked list. As you can see in this example, netscan found:

Some processes:

python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_pslist
python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_psxview

Some bash history:

python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_bash

Loaded kernel modules:

python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_lsmod -P

Here is our lime module used to dump the memory for the investigation.

Hidden kernel modules:

python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_hidden_modules
python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_check_modules
This plugin finds rootkits that break themselves from the kernel module list while it is still exists in the pseudo file system sysfs. Here is our elusive LKM rootkit. 

python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_check_syscall > ~/Desktop/Mem_forensics/syscall
grep HOOKED ~/Desktop/Mem_forensics/syscall

This plugin prints the system call tables and checks for hooked functions.

System Errors:

python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_dmesg

Files at the filesystem:

python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_enumerate_files

More advanced data search will be looking at more specific data that may reveal something about the system.

Yara scanning:

After finding suspicious evidence, we may want to dump it to disk for further analysis:

python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_yarascan -Y "reptile" > ~/Desktop/Mem_forensics/yarascan_reptile.result

Dumping data:

Single process dump:

sudo python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_dump_map -p <pid> -s <start address> -O <output file>
lkm modules dump (takes long time):

For further analysis and reverse engineering the LKM:
sudo python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_moddump -D ~/Desktop/Mem_forensics/Modules/

 

You may check other volatility plugins for Linux at https://github.com/volatilityfoundation/volatility/wiki/Linux-Command-Reference

 

<< BACK TO RESOURCES

loader
×

OTORIO website uses cookies. By continuing to browse the site you are agreeing to our use of cookies. For more details about cookies and how to manage them, see our cookie policy.

Continue