Extending the ELF Core Format for Forensics Snapshots

Malware authors apply advanced techniques to execute and hide malicious activity on victim Linux systems. ELF runtime infections are among those techniques; they mutate the memory of a victim process to then modify its workings while maintaining stealth against disk-based forensics.

Previously, analysts had to rely on a clunky methodology to investigate ELF runtime infections; they had to manually locate information and reconstruct the part of the process they wanted to inspect. In this paper I describe my Extended Core File Snapshot (ECFS) format which accurately captures all relevant, in-memory forensic information necessary for an analyst to diagnose common ELF injection attacks. PDF Link