Microsoft Research yesterday announced Project Freta, a free, cloud-based service for detecting rootkits and advanced malware in memory snapshots of live Linux systems. This service was developed by the NExT Security Ventures (NSV) team at Microsoft Research.

Snapshot-based memory forensics is an old security technique, but it is not available for customers from any major cloud provider. Project Freta will allow customers to perform full memory audits of thousands of virtual machines (VMs) without intrusive capture mechanisms.

Project Freta intends to automate and democratize VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button—no setup required.

Microsoft Research’s Project Freta is now available to the public for free with no usage limit. It is capable of automatically fingerprinting and auditing a memory snapshot of most cloud-based Linux VMs. For now, over 4,000 kernel versions are supported automatically.

Key features:

  • Detect novel malicious software, kernel rootkits, process hiding, and other intrusion artifacts via agentless operation by operating directly on captured VM snapshots
  • Very easy to use: submit a captured image to generate a report of its content
  • Memory inspection means no software to install, no notice to malware to evacuate or destroy data
  • Designed for automating IR-like discovery tasks directly into a cloud fabric — though volatile memory snapshots captured from an acquisition tool can also be used for bare iron scenarios where virtualization is not available