MARP Toolkit
A cybersecurity incident response toolkit for malware containment, forensic evidence preservation, automated triage, and controlled system recovery — developed as an industry live project with Cohesity.
Timeline
6 months
Role
Team
Status
CompletedTechnology Stack
Key Challenges
- Avoiding evidence contamination during active triage
- Designing a firewall isolation strategy that permitted only the forensic station
Key Learnings
- Digital forensics lifecycle - containment, evidence collection, and recovery
- Linux-based firewall isolation with UFW
- YARA rule-based detection vs signature-only AV
- Preserving volatile process and memory evidence before remediation
- Automating security operations with shell scripting
MARP Toolkit: Malware Incident Response with Forensic Automation
Overview
MARP (Minimal Attack Response Procedure) is a structured incident response framework developed as an industry live project with Cohesity.
Built by a team of 4, led by Aadarsh Pathre, the toolkit enforces a disciplined malware response workflow, isolating the infected host, routing all investigation through a dedicated forensic station, automating evidence collection, and validating recovery before restoring access.
Problem Statement
Unstructured malware response destroys forensic evidence. Directly accessing an infected system risks overwriting volatile data, contaminating logs, and triggering anti-forensic behavior. Manual triage also introduces inconsistency across responders.
MARP addresses this with a reproducible, automated response procedure.
System Architecture
The toolkit was shared from the forensic station via NFS and mounted read-only on the application server during investigation.
Response Workflow
Phase 1 — Normal Operations Application server runs with full public and admin access. Stack: Flask, Gunicorn, Nginx, database.
Phase 2 — Incident Containment UFW firewall rules block all public and admin access. Only the forensic station retains controlled, port-specific access to the compromised host.
Phase 3 — Analysis and Recovery Automated artifact collection, YARA and ClamAV scanning, evidence preservation, remediation, and HTTP-validated service restoration.
Toolkit Capabilities
- Malware Simulation — Plant EICAR and
.lockedransomware test artifacts - Evidence Collection — Capture system state, sockets, routes, processes, logs
- Memory Dump — Core dump of Gunicorn process
- YARA Scan — Rule-based scan for malware signatures
- ClamAV Scan — AV sweep across 1,300+ files
- Containment — Apply UFW isolation rules
- Remediation — Remove malware files, restore locked data
- Restoration — Reset firewall, restart services, validate HTTP
Evidence Collected
- Running services and process tree
- Open network sockets
- Routing tables and ARP cache
- Live packet capture
- Gunicorn process core dump
- Application and Nginx logs
- Filesystem timestamps of suspicious paths
Detection Results
YARA detected the EICAR test file using rule-based matching, proving stronger than signature-only AV in this scenario.
ClamAV swept 1,300+ files but flagged no infected files — YARA remained the primary detection signal.
Remediation
- EICAR malware files removed
- Ransomware-style
.lockedfiles restored - Firewall rules reset to normal
- Service availability confirmed via HTTP validation
Challenges
A live VirtualBox snapshot attempt failed due to an unstable VM state. The team pivoted to capturing a Gunicorn process core dump, preserving forensic value without a full snapshot.
Key Takeaways
- Incident response requires disciplined containment before any forensic access
- Automated evidence collection reduces human error and inconsistency
- Volatile evidence must be captured before remediation begins
- Fallback collection strategies are essential when primary methods fail