MANIFEST.json

{
  "project": "Linux Memory Forensics Investigation",
  "case_id": "CASE_20251228_0001",
  "version": "1.0",
  "created": "2025-12-28",
  "last_updated": "2026-01-02",
  "analyst": "Sai (DFIR Analyst)",
  "artifacts": {
    "evidence": {
      "memory_dump": {
        "filename": "mem_victim-u20_5.4.0-216-generic_20251227T214903Z.lime",
        "size_mb": 4096,
        "hash_algo": "SHA256",
        "location": "evidence/",
        "synthetic": false,
        "note": "Not committed to git (see .gitignore) - available on request"
      }
    },
    "analysis_outputs": {
      "volatility3_plugins": 13,
      "total_files": 13,
      "location": "analysis/outputs/",
      "synthetic": false
    },
    "reports": {
      "executive_summary": "findings/executive-summary.md",
      "technical_report": "findings/TECHNICAL-REPORT.md",
      "findings_overview": "findings/findings-README.md",
      "malicious_processes": "findings/malicious-processes.md",
      "memory_injection": "findings/memory-injection.md",
      "network_c2_analysis": "findings/network-c2-analysis.md",
      "python_malware": "findings/python-malware-analysis.md",
      "shellcode_analysis": "findings/shellcode-analysis.md",
      "iocs_indicators": "iocs/indicators.txt",
      "yara_rules": "iocs/yara-rules.yar",
      "methodology_overview": "methodology/methodology-README.md",
      "procedures": "methodology/procedures.md",
      "tools_used": "methodology/tools-used.md"
    }
  },
  "completeness": {
    "directories": {
      "evidence": true,
      "analysis": true,
      "findings": true,
      "iocs": true,
      "methodology": true
    },
    "total_directories": 5,
    "all_complete": true
  },
  "tools": {
    "acquisition": "LiME kernel module",
    "analysis": "Volatility 3 Framework 2.26.2",
    "symbols": "Ubuntu 5.4.0-216-generic ISF JSON"
  },
  "status": "INVESTIGATION_COMPLETE",
  "severity": "CRITICAL"
}