WiredCyberKnight Blog

Linux Memory Forensics | letsdefend

Introduction to Linux Memory Forensics

This section introduces the importance and purpose of memory forensics in Linux systems. Memory forensics is essential for analyzing malware, system crashes, debugging, and understanding attackers’ actions during security breaches.

  • Memory forensics involves analyzing system RAM to gather crucial evidence about the system’s current state.
  • It helps in detecting malware, debugging system issues, and analyzing user activity.
  • LiME (Linux Memory Extractor) and Volatility are key tools used in Linux memory forensics.
  • Memory dumps contain valuable information like running processes, network connections, and malicious software.
  • Understanding memory artifacts helps forensic analysts track down hidden threats and uncover evidence of cybercrimes.

Capturing Memory Dumps

This section focuses on the process of capturing memory dumps from Linux systems. Memory dumps are crucial for forensic analysis as they store a snapshot of the system’s memory at a given time.

  • LiME is a primary tool used to capture system memory in various formats (e.g., raw, lime format).
  • Memory dumps are used to extract system processes, network connections, and user sessions.
  • Tools like Fmem and Crash are also used for memory dumping.
  • Memory dumps are essential for debugging, malware detection, and incident response.
  • Properly securing memory dumps ensures the integrity of forensic investigations, especially during system crashes or malware infections.

Analyzing the Memory Dump

This section explains the analysis of memory dumps using tools like Volatility and Rekall. Analyzing the dump reveals valuable data on running processes, user activity, and potential malware.

  • Volatility is widely used for analyzing memory dumps from Linux systems.
  • Rekall offers timeline analysis and fast data collection features for in-depth investigations.
  • Memory analysis involves examining processes, network connections, and user activities.
  • Volatility 3 introduced a modular architecture for more flexible and effective analysis.
  • Tools like Redline and Memoryze for Linux provide additional features for detailed memory analysis.
Hands-On Lab Environment:
  • MD5 Hash of the Memory Dump
    • Task: I calculated the MD5 hash of the memory dump file (/var/dumps/forensic.lime).
    • Result: The MD5 hash is dcecd22f1c5f086b342b67a88168a4be.
    • Tools/Command Used: I used the md5sum command to get the hash of the file.
  • Volatility3 Plugin for Process Tree
    • Task: I identified the Volatility3 plugin that shows processes in a tree structure.
    • Answer: The plugin is linux.pstree.
  • Kernel Version from the Dump File
    • Task: I determined the kernel version of the memory dump.
    • Answer: The kernel version is 6.5.0-25-generic.
    • Tools/Command Used: I used the banner command to extract information from the memory dump file, revealing the kernel version.
  • Process Listening on Port 9000
    • Task: I found the process that was listening on port 9000 in the memory dump.
    • Answer: The listening process is python3.
    • Tools/Command Used: I used sockstat | grep 9000 to check for any network connections on port 9000. The command returned PID 2949, so I used pstree | grep 2949 to trace the process and confirmed it was python3.
  • PID of the Process Listening on Port 8080
    • Task: I identified the PID of the process listening on port 8080.
    • Answer: The PID is 2950.
    • Tools/Command Used: I used sockstat | grep 8080 to find the PID listening on port 8080.
  • Directory/File Output of Process 3015 PID
    • Task: I determined the directory or file to which the output of process 3015 was being sent.
    • Answer: The output was directed to /tmp/output.txt.
    • Tools/Command Used: I used lsof | grep 3015 to find the file associated with the PID, as the question provided the PID.
  • Password for SSH Connection
    • Task: I extracted the password for the SSH connection to the IP address 172.16.8.54.
    • Answer: The password is 11S3cR3T22.
    • Tools/Command Used: I used grep 172.16.8.54 /var/dumps/forensic.lime linux.bash to find the password associated with the IP address, as the IP was provided in the question.

Basic Memory Analysis

This section covers the basics of memory analysis, including how to identify processes, threads, and system activities from memory dumps.

  • Process and thread analysis helps identify suspicious or abnormal behavior.
  • Plugins like linux.psaux and linux.pslist are used to list processes in a memory dump.
  • Exit states like TASK_RUNNING and EXIT_ZOMBIE provide insights into the current status of processes.
  • Analyzing parent-child process relationships can help track down malicious processes.
  • Network connections and file activity can also be analyzed to detect threats.
Hands-On Lab Environment – 2 :
  1. State Indicating a Running Process
    • Task: I identified the state that indicates a process is still running in Linux memory analysis.
    • Answer: The state is task_running.
  2. Plugin for Malware Analysis in Linux Memory Forensics (Volatility 3)
    • Task: I identified the plugin used for malware analysis in Linux memory forensics in Volatility 3.
    • Answer: The plugin is linux.vmayarascan.
  3. Step to Verify Memory Dump Type and Format
    • Task: I identified the step to verify the memory dump type and format in Linux memory analysis.
    • Answer: The step is called Image Identification.
  4. MITRE Technique T1070.003 – Clear Command History
    • Task: I identified the command and parameter corresponding to the MITRE technique “T1070.003 – Indicator Removal: Clear Command History”.
    • Answer: The command and parameter are rm -f.
    • Tools/Command Used: I looked into the memory dump and determined that the command rm -f was used to clear command history, aligning with MITRE technique T1070.003.
  1. Process Accessing the File “/etc/sudoers”
    • Task: I identified the name of the process that accessed the file /etc/sudoers.
    • Answer: The process is sudo.
    • Tools/Command Used: I reviewed the memory dump and traced the process interacting with /etc/sudoers, confirming it was sudo.

Case Studies and Practical Examples

This section presents real-world case studies and examples of how memory forensics is used in practice. It includes examples of investigating suspicious user activity and leaked passwords.

  • Case Study 1: Monitoring suspicious user activity by analyzing bash history and network activity.
  • Case Study 2: Investigating leaked passwords by analyzing file movements and network transfers.
  • Practical examples show how to search for malicious commands like wget or scp that might indicate a data breach.
  • YARA rules and Malware scanning can be used to detect specific patterns or threats in memory dumps.
  • Effective memory forensics can uncover the timeline of attacker activity, including malware installation and data exfiltration.

Braily Vasquez

Braily Vasquez is a dedicated IT professional with expertise in technical support, PC building, and network security. With five years of experience, Braily enjoys creating custom tech solutions and empowering users through hands-on projects.

Previous
Next

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts