Project Freta is a newly announced offer from Microsoft, which aims at discovering any malware or rootkit running on Linux systems, by conducting memory forensic analysis automatically. The analysis is conducted at no cost and is very easy to extrapolate the data, democratizing the forensic process.

Project Freta was designed and built with survivor bias at its core. It is a security project designed from first principles to drive the cost of sensor evasion as high as possible and in many cases render evasion technically infeasible.

Mike Walker

At the moment there are more than 4,000 supported kernel versions.

The process is very useful because the malware cannot “hide” himself, since the image processing system is non-intrusive to the VM, giving analysts a complete view on what’s running and potentially bad for the server.

The supported memory images formats are the following:

  • vmrs
  • lime
  • core
  • raw

The memory can be captured using various tools, such as:

  • vmss2core (VMware)
  • Hyper-V Manager
  • AVML 

The tool works by analyzing an image uploaded on the cloud. Once the image has been acquired, you can let the program scan it.

This image has an empty alt attribute; its file name is image-1.png

Please refer to this guide to extract the images:

Read the full announcement: