The Project Freta Analysis Report
Project Freta produces a report with the following data sets and structure from its analysis of memory images.
Each report has the following sections that focuses on particular artifact types present in the profiled virtual machine during the time its volatile memory was imaged
Information and global data attributes about and from the image
Processes under the direct control of other processes running on the instance
Kernel Interrupt Table
The Linux kernel data structure that associates interrupts with the functions that handle them
Object files that implement kernel functionality and that can be loaded and unloaded as needed at runtime
Kernel Syscall Table
Entry points via which usermode code can call functions in the Linux kernel
The address resolution protocol (ARP) table and active sockets
All filesystem objects (including files, devices, pipes, or unix sockets) to which a process has an open handle
Inferred list of potential rootkits from the memory snapshot
Set of processes running on the instance
Interprocess communication (IPC) mechanisms that enables bidirectional data exchange among multiple processes running on the same host
Each data set included in the report has most or all of the following sections:
- Screenshot from the user portal
- Description of each column
- How to obtain similar information from the Linux command line
Modern malware is complex, sophisticated, and designed with nondiscoverability as a core tenet. White Project Freta infers the existence of some malware from memory (and will improve over time as we gather more data), it does not flag everything. This section suggests patterns to look for in the data that may imply security risk, and steps you can take to investigate further.
Any entry under Potential Rootkits should be thoroughly investigated, and you might compare usermode listing of artifacts with the snapshot-derived list to find any hidden objects. But note that not all malware has a runs perpetually on a machine, even if hidden: it may operate only at specific times or in response to certain system events. The result data sets are generated from a narrow timeslice, so it may be valueable to compare them over time to identify the appearance of unrecognized objects.