Microsoft has launched a cloud-based service for free Linux Forensics and Rootkit Malware Detection, dubbed Project Freta, which aims to provide automated full-system volatile memory inspection of virtual machine (VM) snapshots.
Project Freta, which is an offshoot of Microsoft Research, is a roadmap toward trusted sensing for the cloud that would allow enterprises to engage in regular, and complete discovery sweeps for undetected malware.
While snapshot-based memory forensics is in its second decade, still no commercial cloud has yet provided customers the capability to perform full memory audits of thousands of virtual machines (VMs) without a priori forensic readiness and intrusive capture mechanisms.
Why Project Freta?
Project Freta, which is named after Warsaw's Freta Street, the birthplace of the famous French physicist, Marie Curie, who brought X-ray medical imaging to the battlefield during World War I, is a step toward trusted sensing for the cloud.
It is a project designed from the first principles to render evasion technically infeasible by driving the cost of sensor evasion as high as possible in many cases.
And with modern malware as complex, sophisticated, and designed with non-discoverability as a core tenet, Project Freta intends to help automate and democratize VM forensics whereby every enterprise or user can sweep volatile memory for unknown malware with only the push of a button, without requiring complicated setup.
Getting Started with Project Freta
Project Freta is open to anyone with Azure Active Directory account, or a Microsoft Account, and users are able to submit memory images (.vmrs, .lime, .core, or .raw files) via online portal or an API, with a detailed report generated that delves into different sections (kernel modules, in-memory files, and potential rootkits) which can be exported via JSON format.
It currently supports over 4,000 Linux kernels, with Windows support in the pipeline. While the online analysis portal can be accessed here, with full documentation for Project Freta available here.
