Proposal / Submission Type
Peer Reviewed Paper
Location
Richmond, Virginia
Start Date
28-5-2014 4:40 PM
Abstract
Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures, e.g., page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular antirootkit tools.
Keywords: Digital forensics, Virtual memory acquisition, Malware research, Rootkits detection, Antiforensics
Scholarly Commons Citation
Korkin, Igor and Nesterov, Ivan, "Applying Memory Forensics to Rootkit Detection" (2014). Annual ADFSL Conference on Digital Forensics, Security and Law. 1.
https://commons.erau.edu/adfsl/2014/wednesday/1
Included in
Aviation Safety and Security Commons, Computer Law Commons, Defense and Security Studies Commons, Forensic Science and Technology Commons, Information Security Commons, National Security Law Commons, OS and Networks Commons, Other Computer Sciences Commons, Social Control, Law, Crime, and Deviance Commons
Applying Memory Forensics to Rootkit Detection
Richmond, Virginia
Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures, e.g., page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular antirootkit tools.
Keywords: Digital forensics, Virtual memory acquisition, Malware research, Rootkits detection, Antiforensics
