Need help with forensic analysis.
#1
There are some strange and painful things happening in my life, and I don't exactly know how they are being done, so I'm trying to eliminate all the possibilities and I'll be left with the real cause. This process of elimination requires me to know if there is any malware on my system.

I use a popular distribution of Linux, this is a dual boot machine, I haven't downloaded any suspicious software from sites on this Linux system, most of the software I have installed on this Linux came with the distro or were installed from the official repositories.

I want to be able to dump all the contents of the memory, CPU cache onto a disk or thumb drive, which I can use on another system to perform forensic analysis. How can I do this and what software would I require to accomplish this?
Reply
#2
First off, I'd say if you're that concerned about it then you should just reinstall. And if you're still worried about a boot sector virus, I'm not entirely sure how you'd remove it. I also don't really have any memory forensics experience, but I'll help you as best as I can. I found this: https://resources.infosecinstitute.com/c...forensics/. It has a lot of info and tools for memory forensics.

The way I see advanced malware attacks is like this. You can NEVER be 100% sure it's gone. There are a billion places to hide on a system. Rootkits are a great example. They fool the operating system's software to stay hidden. You can't really determine accurately what the malware has done, what it has changed, where it is on the system. You may find its' persistence mechanism, processes, all the files it created/wrote to. But it could all still be a diversion from the real malware. Or it may still have control somewhere else you haven't found. This would bring you to the conclusion that you can't 100% trust your system ever again. Naturally, not all malware attacks are this complex and hard to remove. It could just be some random Dark Comet RAT. But you can't know for sure.

On that very optimistic note, I'll tell you what I would do. Malware has characteristics that make it vulnerable. Two of these that can help you find it, are the network layer and its' persistence mechanism. Obviously, the malware has to have some way to come back when you reboot. It has to (unless there's some magic I don't know about) write to the disk somewhere for that. It also has to (depending on what you're infected with) communicate with its' owner. So, look through all the services, systemd/initd stuff, cronjobs, .bashrc, etc. Things that would give the malware persistence across reboots. Now, if the malware got root or is a rootkit then there may only be so much that these will do. Rootkits can intercept API calls (if I'm not mistaken). Rootkits/malware with root can replace out binaries, prevent you from seeing files/processes/network connections. So you can see how if you have a rootkit you may as well reinstall your OS. Next you can look through your network connections. Use tcpdump to just sniff packets for a day or two. Malware would likely call back in that time frame. See what IPs you've connected to and if they're on blacklists.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Who can help me remove crypt from .DAT files? Saddam 0 316 10-15-2021, 12:48 PM
Last Post: Saddam
  Help me hacking WPA2 wifi brandroot 5 12,213 03-01-2021, 08:13 PM
Last Post: Vector
  HEY FAMILY.. Help me out :-( ALPXHAX 7 14,822 12-26-2020, 04:47 PM
Last Post: FancyBear
  Help me astronomo 4 10,156 12-12-2020, 11:11 PM
Last Post: Insider