🛡ī¸

CVE-2024-3094 Forensic Investigation

Executive Summary

This section provides the high-level context of the research project. It outlines the nature of the XZ Utils supply chain compromise, the core problem of memory-resident forensics, and the academic team behind the investigation.

📄 Abstract

This project presents a hands-on digital forensics investigation of a system compromised using the XZ Utils backdoor, tracked globally as CVE-2024-3094. The attack represents a highly sophisticated supply-chain compromise where malicious code was systematically inserted into the liblzma compression library.

A controlled virtual laboratory was constructed using Proxmox VE. The threat emulation utilized the xzbot framework, enabling remote code execution as root through specially crafted SSH public keys before the normal authentication process completed. The forensic investigation involved capturing volatile memory using Microsoft's AVML and analyzing artifacts with Volatility 3 to uncover stealthy execution paths that bypass disk-based logging.

đŸŽ¯ Problem Statement

"The core problem addressed in this project is the lack of reliable forensic visibility for advanced memory-resident supply chain attacks."

Traditional forensic methods are insufficient to reconstruct attacks that execute only in volatile memory and leave minimal traces on disk. When dynamic linker injection processes (like IFUNC hijacking) modify software behavior in RAM, corresponding audit logs fail to record the intrusion, rendering traditional post-mortem disk analyses ineffective.

🎓 Project Team

  • Investigators
    Anandshankar Iyer 590010637
    Jai Manikthala 590010183
    Shashwat Tripathi 590011321
  • Project Guide
    Dr. Sumitra
  • Institution
    School of Computer Science, UPES
    Bidholi, Dehradun
    May 2026

Core Objectives

  • â—ŧ Infrastructure Deployment & Isolation
  • â—ŧ Threat Emulation (xzbot)
  • â—ŧ Volatile Memory Forensics (AVML, Volatility 3)
  • â—ŧ Network Traffic Analysis (pcapng)
  • â—ŧ Correlation & Timeline Reconstruction

Laboratory Topology

This section visualizes the isolated virtualization environment used for threat emulation. Click on any node in the topology map to view its specific configuration and operational role in the investigation.

Network Architecture & Boundary Protection

🗄ī¸
Forensic Hypervisor
Proxmox VE 8.1.4
🧱
Gateway / Firewall
pfSense 2.7.2
đŸĨˇ
Attacker Station
Kali Linux 2026.1
đŸŽ¯
Victim Server
Debian 12 (Bookworm)

Select a node from the topology diagram to view its operational parameters and network segment details.

Threat Mechanics (IFUNC Hijacking)

This section breaks down the complex memory-level attack vector. It explains how the dynamic linker was manipulated to redirect SSH authentication routines, completely bypassing disk-based validation.

Execution Flow

1

Library Loading

glibc processes liblzma.so

2

IFUNC Resolution

crc64_resolve hook triggers

3

GOT Patching

Replaces RSA_public_decrypt pointer

4

Payload Execution

Intercepts malicious shell command payload from SSH keys

ℹī¸

Mathematical Model

Click a step in the execution flow to see details. By default, understand that the technical architecture exploits a standard optimization feature in glibc known as Indirect Functions (IFUNC).

If D is the dynamic resolver and f is the target cryptographic decrypt routine:

GOT[f] = D_hijacked(f)

This ensures that any authentication signature processed by the daemon passes through the malicious library first.

Forensic Evidence & Analysis

Explore the empirical evidence collected during the emulation phase. Interact with the tabs below to switch between Network telemetry (Wireshark) and Volatile Memory analysis (Volatility 3).

Runtime Process Anomalies

By processing the physical RAM capture using Microsoft AVML, investigators reconstructed the exact execution state. The linux.pstree plugin revealed an unauthorized subshell spawning directly from the SSH daemon.

vol.py -f mem.lime linux.pstree
PID PPID COMM
...
1 0 systemd
├─ 1024 1 sshd
│ ├─ 1085 1024 sh -c "id > /tmp/xz_proof"
...
Privilege
uid=0, gid=0 (root)
System Event Audits
Suppressed (No auth.log)

Memory Page Distribution Check

Analysis of unbacked rwx pages via linux.proc.Maps

Project Execution Roadmap

A structured timeline tracking the methodology across 16 weeks, from lab provisioning to the final forensic timeline reconstruction and reporting.

WEEKS 1-3

Infrastructure Prep

Proxmox, pfSense, VLAN isolation setup.

WEEKS 4-6

Threat Emulation

xzbot configuration, SSH exploit testing, payload generation.

WEEKS 7-10

Evidence Acquisition

Pcap collection, AVML RAM capture, log extraction.

WEEKS 11-16

Analysis & Reporting

Volatility analysis, MITRE mapping, rule generation.

MITRE ATT&CK Mitigation Strategies

T1195.002 Supply Chain Compromise
Mitigation: Use static scanning tools to audit packages against known vulnerable versions.
T1210 Exploitation of Remote Services
Mitigation: Use TShark to identify anomalous packet frames during handshakes.
T1068 Exploitation for Privilege Escalation
Mitigation: Monitor parent-child relationships of system processes for anomalous shells.
T1562.001 Impair Defenses (Logging Bypass)
Mitigation: Implement stateful, hypervisor-level network and process logging.