Lab 9.5 — Memory Forensics

Lab Overview

The Scenario

Your disk forensics investigation (Lab 9.4) confirmed the linux-web-01 server was compromised. However, the attacker's primary implant appears to be fileless — no malicious binary was found on disk, yet the host continues to beacon to the C2 IP every 30 seconds. Your task is to analyze the live system state through Velociraptor's process analysis artifacts to find and document the in-memory threat.

You need to answer:

1. Which process is the implant hiding in? (Process identification)
2. How was it injected? (Injection technique)
3. What network connections is it maintaining? (C2 communication)
4. What capabilities does the implant have? (Threat assessment)
5. How would you detect this in production? (Detection engineering)

Part 1: Process Enumeration and Tree Analysis

Collect Process Listing

In the Velociraptor web UI, navigate to the client endpoint and launch a collection for:

Linux.Sys.Pslist

This artifact returns a complete process listing with PIDs, PPIDs, command lines, user context, and start times.

Build the process tree and identify anomalies:

1. Map every process to its parent (PID → PPID relationships)
2. Identify processes with unexpected parents:
   • Web server child process spawning shells (apache2 → bash)
   • System services with user-space children (systemd → python3)
   • Orphaned processes (PPID = 1 that shouldn't be)
3. Check process start times against the known compromise timeline from Lab 9.4

PROCESS ANOMALY LOG
═══════════════════════════════
PID     PPID    User      Start Time    Command
[pid]   [ppid]  [user]    [timestamp]   [full command line]
Anomaly: [describe why this is suspicious]

Identify Suspicious Command Lines

Look specifically for:

• Processes with base64-encoded arguments (python3 -c "import base64; ...")
• Processes using /dev/tcp or /dev/udp (bash network redirects)
• Processes with deleted binary references (/tmp/payload (deleted))
• Processes running from unusual paths (/dev/shm, /proc/self)

Click to enlarge

Part 2: Memory Region Analysis

Collect Process Memory Maps

Launch a collection for:

Linux.Sys.Maps

This artifact reads /proc/[pid]/maps for target processes, showing all memory regions with their permissions, backing files, and addresses.

For each suspicious process identified in Part 1, analyze:

1. RWX regions — Memory that is simultaneously readable, writable, AND executable is a strong indicator of injected code. Legitimate shared libraries are mapped as R-X (read-execute) with separate RW- (read-write) data sections.
2. Anonymous regions — Large anonymous (no backing file) memory regions with execute permission suggest dynamically allocated shellcode.
3. Modified library regions — Library mappings that show unexpected permissions or sizes may indicate hooking or hollowing.

MEMORY REGION ANALYSIS
═══════════════════════════════
PID: [suspicious pid]
Process: [command line]

Address Range        Perms   Size      Backing
[start]-[end]        rwxp    [size]    [anonymous]
  → SUSPICIOUS: RWX anonymous region — possible injected shellcode

[start]-[end]        r-xp    [size]    /usr/lib/libc.so.6
  → NORMAL: Standard library mapping with read-execute permissions

Part 3: Network Connection Analysis

Collect Active Network Connections

Launch a collection for:

Linux.Sys.Netstat

This artifact enumerates all active network connections with their associated PIDs and process names.

Map network connections to processes:

1. Identify all ESTABLISHED connections — which processes have active connections?
2. Flag external connections — any connection to a non-RFC1918 address from a non-browser process
3. Check listening ports — unexpected listeners indicate backdoor bind shells
4. Correlate with process anomalies — does the suspicious process from Part 1 have network connections?

NETWORK CONNECTION MAP
═══════════════════════════════
Proto  Local Address       Remote Address        State         PID    Process
tcp    10.0.1.50:45892    185.220.101.42:4445   ESTABLISHED   [pid]  [process]
  → C2 CONNECTION: Matches known attacker IP from auth.log investigation

tcp    0.0.0.0:8443       0.0.0.0:*             LISTEN        [pid]  [process]
  → BACKDOOR LISTENER: Non-standard port, not in baseline services

Connection Timing Analysis

For established C2 connections, note:

• How long has the connection been active?
• Is it persistent or does it reconnect periodically?
• What is the data transfer volume (bytes sent/received)?
• Does the remote IP match any indicators from your previous labs?

Part 4: Shared Library and Module Analysis

Collect Loaded Libraries

Launch a collection for:

Linux.Sys.Maps

Focus on the shared library mappings for suspicious processes.

Check for library anomalies:

1. LD_PRELOAD injection — Check environment variables for LD_PRELOAD entries pointing to non-standard libraries
2. Library path hijacking — Libraries loaded from /tmp, /dev/shm, or home directories instead of /usr/lib
3. Missing libraries — References to shared objects that no longer exist on disk (loaded then deleted)
4. Duplicate libraries — The same library name loaded from two different paths

Linux.Forensics.Env

Collect environment variables for all processes. Look specifically for:

• LD_PRELOAD=/tmp/.hidden/libhook.so (library injection)
• HISTFILE=/dev/null (anti-forensics)
• Custom variables set by attacker tools

Click to enlarge

Part 5: Build Your Memory Analysis Report

Compile all process-level findings into a structured report:

MEMORY FORENSICS ANALYSIS REPORT
═══════════════════════════════════════
Endpoint: linux-web-01
Investigation Date: [today's date]
Investigator: [your name]
Tool Used: Velociraptor

1. PROCESS ANOMALIES
   Suspicious PID(s): [list]
   Parent Process: [what spawned them]
   Command Line: [full command with arguments]
   Start Time: [correlation with compromise timeline]
   User Context: [running as whom]

2. MEMORY INDICATORS
   RWX Regions: [count and sizes per suspicious process]
   Anonymous Executable Regions: [details]
   Injected Code Evidence: [yes/no with supporting data]
   Estimated Payload Size: [based on region sizes]

3. NETWORK ACTIVITY
   C2 Connections: [remote IPs, ports, duration]
   Backdoor Listeners: [bound ports and processes]
   Data Transfer Volume: [bytes sent/received]
   Beaconing Interval: [observed frequency]

4. LIBRARY ANALYSIS
   LD_PRELOAD Abuse: [yes/no with library path]
   Hijacked Libraries: [list with original vs. malicious paths]
   Deleted-but-Loaded: [libraries loaded from disk then removed]

5. DETECTION RECOMMENDATIONS
   YARA Rule: [proposed signature for the injected code]
   Network Signature: [C2 traffic pattern for IDS]
   Process Baseline: [anomalous parent-child relationships to alert on]
   Memory Scan Schedule: [recommended frequency]

6. CORRELATION WITH DISK FORENSICS (Lab 9.4)
   Timeline Alignment: [do memory findings match disk timeline?]
   Additional Findings: [what memory revealed that disk missed]
   Complete Attack Narrative: [unified story across both investigations]

Deliverable Checklist

Before completing the lab, ensure you have:

• Process Tree Analysis — Complete process listing with all anomalies identified and documented
• Memory Region Findings — RWX and anonymous executable regions cataloged per suspicious process
• Network Connection Map — All C2 connections and backdoor listeners mapped to processes
• Library Analysis — LD_PRELOAD, path hijacking, and deleted library checks completed
• Memory Analysis Report — Complete structured report with all 6 sections and correlation to Lab 9.4

What's Next

In Lab 9.6 — Build the Timeline, you'll combine all findings from disk forensics (Lab 9.4) and memory forensics (this lab) into a unified forensic timeline — a minute-by-minute reconstruction of the entire attack from initial access through persistence and data exfiltration.