Project Freta ! Microsoft new cloud forensic initiative

Microsoft Research yesterday announced Project Freta, a free, cloud-based service for detecting rootkits and advanced malware in memory snapshots of live Linux systems. This service was developed by the NExT Security Ventures (NSV) team at Microsoft Research.

Snapshot-based memory forensics is an old security technique, but it is not available for customers from any major cloud provider. Project Freta will allow customers to perform full memory audits of thousands of virtual machines (VMs) without intrusive capture mechanisms.

Project Freta intends to automate and democratize VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button—no setup required.

Microsoft Research’s Project Freta is now available to the public for free with no usage limit. It is capable of automatically fingerprinting and auditing a memory snapshot of most cloud-based Linux VMs. For now, over 4,000 kernel versions are supported automatically.

Key features:

  • Detect novel malicious software, kernel rootkits, process hiding, and other intrusion artifacts via agentless operation by operating directly on captured VM snapshots
  • Very easy to use: submit a captured image to generate a report of its content
  • Memory inspection means no software to install, no notice to malware to evacuate or destroy data
  • Designed for automating IR-like discovery tasks directly into a cloud fabric — though volatile memory snapshots captured from an acquisition tool can also be used for bare iron scenarios where virtualization is not available

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s