Author: Daniel Lubel, Senior Purple Team Researcher
In order to test some of our memory forensics capabilities, we have infected a Linux system with a rootkit that can be found here - https://github.com/f0rb1dd3n/Reptile
Further to the previous post, we will describe detection methods of malicious artifacts on Linux memory dump using the tool - Volatility.
Let's get started!
Some networking:
python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_netstat |
python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_netscan |
Notice: The difference between plugins that have scan in their names and similar plugins (like netstat vs netscan) is that the scan option actually scans the memory for the structure of the data so it may found more data but it takes longer than going through the linked list. As you can see in this example, netscan found:
Some processes:
python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_pslist |
python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_psxview |
Some bash history:
python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_bash |
Loaded kernel modules:
python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_lsmod -P |
Here is our lime module used to dump the memory for the investigation.
Hidden kernel modules:
python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_hidden_modules |
python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_check_modules |
python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_check_syscall > ~/Desktop/Mem_forensics/syscall |
This plugin prints the system call tables and checks for hooked functions.
System Errors:
python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_dmesg |
Files at the filesystem:
python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_enumerate_files |
More advanced data search will be looking at more specific data that may reveal something about the system.
Yara scanning:
After finding suspicious evidence, we may want to dump it to disk for further analysis:
python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_yarascan -Y "reptile" > ~/Desktop/Mem_forensics/yarascan_reptile.result |
Dumping data:
Single process dump:
sudo python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_dump_map -p <pid> -s <start address> -O <output file> |
For further analysis and reverse engineering the LKM:
sudo python vol.py -f /home/forensics/Desktop/Mem_forensics/mem.lime --profile=LinuxUbuntu-3_13_0-53-genericx64 linux_moddump -D ~/Desktop/Mem_forensics/Modules/ |
You may check other volatility plugins for Linux at https://github.com/volatilityfoundation/volatility/wiki/Linux-Command-Reference