The Project Freta Analysis Report
Project Freta produces a report with the following data sets and structure from its analysis of memory images.
Report Sections
Each report has the following sections that focuses on particular artifact types present in the profiled virtual machine during the time its volatile memory was imaged
Image Info
Information and global data attributes about and from the imageDebugged Processes
Processes under the direct control of other processes running on the instanceIn-Memory Files
Memory-mapped filesKernel Interrupt Table
The Linux kernel data structure that associates interrupts with the functions that handle themKernel Modules
Object files that implement kernel functionality and that can be loaded and unloaded as needed at runtimeKernel Syscall Table
Entry points via which usermode code can call functions in the Linux kernelNetworks
The address resolution protocol (ARP) table and active socketsOpen Files
All filesystem objects (including files, devices, pipes, or unix sockets) to which a process has an open handlePotential Rootkits
Inferred list of potential rootkits from the memory snapshotProcesses
Set of processes running on the instanceUnix Sockets
Interprocess communication (IPC) mechanisms that enables bidirectional data exchange among multiple processes running on the same host
Report Structure
Each data set included in the report has most or all of the following sections:
Report Data
- Screenshot from the user portal
- Description of each column
- How to obtain similar information from the Linux command line
Forensic Hints
Modern malware is complex, sophisticated, and designed with nondiscoverability as a core tenet. White Project Freta infers the existence of some malware from memory (and will improve over time as we gather more data), it does not flag everything. This section suggests patterns to look for in the data that may imply security risk, and steps you can take to investigate further.
Any entry under Potential Rootkits should be thoroughly investigated, and you might compare usermode listing of artifacts with the snapshot-derived list to find any hidden objects. But note that not all malware has a runs perpetually on a machine, even if hidden: it may operate only at specific times or in response to certain system events. The result data sets are generated from a narrow timeslice, so it may be valueable to compare them over time to identify the appearance of unrecognized objects.
Exporting the Report
To manually export the report data in JSON format, please follow these instructions. To extract this data programmatically, please use our API.