The Project Freta Analysis Report

alt text

Project Freta produces a report with the following data sets and structure from its analysis of memory images.

Report Sections

Each report has the following sections that focuses on particular artifact types present in the profiled virtual machine during the time its volatile memory was imaged

  • Image Info
    Information and global data attributes about and from the image

  • Debugged Processes
    Processes under the direct control of other processes running on the instance

  • In-Memory Files
    Memory-mapped files

  • Kernel Interrupt Table
    The Linux kernel data structure that associates interrupts with the functions that handle them

  • Kernel Modules
    Object files that implement kernel functionality and that can be loaded and unloaded as needed at runtime

  • Kernel Syscall Table
    Entry points via which usermode code can call functions in the Linux kernel

  • Networks
    The address resolution protocol (ARP) table and active sockets

  • Open Files
    All filesystem objects (including files, devices, pipes, or unix sockets) to which a process has an open handle

  • Potential Rootkits
    Inferred list of potential rootkits from the memory snapshot

  • Processes
    Set of processes running on the instance

  • Unix Sockets
    Interprocess communication (IPC) mechanisms that enables bidirectional data exchange among multiple processes running on the same host

Report Structure

Each data set included in the report has most or all of the following sections:

Report Data

  • Screenshot from the user portal
  • Description of each column
  • How to obtain similar information from the Linux command line

Forensic Hints

Modern malware is complex, sophisticated, and designed with nondiscoverability as a core tenet. White Project Freta infers the existence of some malware from memory (and will improve over time as we gather more data), it does not flag everything. This section suggests patterns to look for in the data that may imply security risk, and steps you can take to investigate further.

Any entry under Potential Rootkits should be thoroughly investigated, and you might compare usermode listing of artifacts with the snapshot-derived list to find any hidden objects. But note that not all malware has a runs perpetually on a machine, even if hidden: it may operate only at specific times or in response to certain system events. The result data sets are generated from a narrow timeslice, so it may be valueable to compare them over time to identify the appearance of unrecognized objects.

Exporting the Report

To manually export the report data in JSON format, please follow these instructions. To extract this data programmatically, please use our API.