Need help with forensic analysis.
#1
There are some strange and painful things happening in my life, and I don't exactly know how they are being done, so I'm trying to eliminate all the possibilities and I'll be left with the real cause. This process of elimination requires me to know if there is any malware on my system.

I use a popular distribution of Linux, this is a dual boot machine, I haven't downloaded any suspicious software from sites on this Linux system, most of the software I have installed on this Linux came with the distro or were installed from the official repositories.

I want to be able to dump all the contents of the memory, CPU cache onto a disk or thumb drive, which I can use on another system to perform forensic analysis. How can I do this and what software would I require to accomplish this?
Reply
#2
First off, I'd say if you're that concerned about it then you should just reinstall. And if you're still worried about a boot sector virus, I'm not entirely sure how you'd remove it. I also don't really have any memory forensics experience, but I'll help you as best as I can. I found this: https://resources.infosecinstitute.com/c...forensics/. It has a lot of info and tools for memory forensics.

The way I see advanced malware attacks is like this. You can NEVER be 100% sure it's gone. There are a billion places to hide on a system. Rootkits are a great example. They fool the operating system's software to stay hidden. You can't really determine accurately what the malware has done, what it has changed, where it is on the system. You may find its' persistence mechanism, processes, all the files it created/wrote to. But it could all still be a diversion from the real malware. Or it may still have control somewhere else you haven't found. This would bring you to the conclusion that you can't 100% trust your system ever again. Naturally, not all malware attacks are this complex and hard to remove. It could just be some random Dark Comet RAT. But you can't know for sure.

On that very optimistic note, I'll tell you what I would do. Malware has characteristics that make it vulnerable. Two of these that can help you find it, are the network layer and its' persistence mechanism. Obviously, the malware has to have some way to come back when you reboot. It has to (unless there's some magic I don't know about) write to the disk somewhere for that. It also has to (depending on what you're infected with) communicate with its' owner. So, look through all the services, systemd/initd stuff, cronjobs, .bashrc, etc. Things that would give the malware persistence across reboots. Now, if the malware got root or is a rootkit then there may only be so much that these will do. Rootkits can intercept API calls (if I'm not mistaken). Rootkits/malware with root can replace out binaries, prevent you from seeing files/processes/network connections. So you can see how if you have a rootkit you may as well reinstall your OS. Next you can look through your network connections. Use tcpdump to just sniff packets for a day or two. Malware would likely call back in that time frame. See what IPs you've connected to and if they're on blacklists.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Rivers and lakes first aid!!!Ask for help!! LingYun 4 4,804 09-03-2018, 03:54 PM
Last Post: enmafia2
  Need help with red team exercise. kms 0 2,486 08-21-2018, 12:26 AM
Last Post: kms
  Help needed on dumping user input database in Google chrome Criticalport 13 8,797 05-30-2018, 02:08 PM
Last Post: Vector
  HackThisSite's infosec things I need to know miker2808 0 3,263 04-15-2018, 04:51 AM
Last Post: miker2808