1 research outputs found
Applying Memory Forensics to Rootkit Detection
Volatile memory dump and its analysis is an essential part of digital
forensics. Among a number of various software and hardware approaches for
memory dumping there are authors who point out that some of these approaches
are not resilient to various anti-forensic techniques, and others that require
a reboot or are highly platform dependent. New resilient tools have certain
disadvantages such as low speed or vulnerability to rootkits which directly
manipulate kernel structures e.g. page tables. A new memory forensic system -
Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in
this paper. It is resilient to popular anti-forensic techniques. The system can
be used for doing a wide range of memory forensics tasks. This paper describes
how to apply the system for research and detection of kernel mode rootkits and
also presents analysis of the most popular anti-rootkit tools.Comment: 25 pages, 3 figures, 8 tables. Paper presented at the Proceedings of
the 9th annual Conference on Digital Forensics, Security and Law (CDFSL),
115-141, Richmond, VA, USA. (2014, May 28-29