Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools.
Update: this research has been used in Scientific Report - DRDC-RDDC-2017-R041 by R. Carbone
Thank you, Richard!
Richard Carbone is an Infosec Analyst and Researcher, EC-Council CHFI / SANS GCIH & GREM, Defence Research and Development Canada – Valcartier Research Centre. DRDC acts as a Canadian equivalent to DARPA.
I am proud to play a small role in the protection of our cyber world!
The details are here https://github.com/IgorKorkin/research/tree/main/2014 :@Igorkorkin Absolutely - root kits are intriguing and if someone does a write-up to help learn others, it deserves to be shared— Christiaan Beek (@ChristiaanBeek) June 21, 2014
- paper.pdf: my version and proceeding version
- slides.pdf, speech.pdf, and demo
Korkin, I., & Nesterov I. (2014, May 28-29). Applying Memory Forensics to Rootkit Detection. Paper presented at the Proceedings of the 9th annual Conference on Digital Forensics, Security and Law (CDFSL), 115-141, Richmond, Virginia, USA. Retrieved from proceedings.adfsl.org/index.php/CDFSL/article/view/34/34 |
Notice one of the major changes in the APA 6th edition is the requirement for a DOI (Digital Object Identifier) in the citation for print and electronic sources when available. For more information see the "Electronic Information" section.
ReplyDeleteAPA Editor
Thanks for update!
DeleteHi
ReplyDeleteThanks for sharing informative post.
Dark web monitoring tools !To Fight and Stop Dark Web Crimes. Dark web monitoring to track down and secure information which has been “leaked” on Dark Web. Dark web monitoring Protecting your accounts and the future of your credit score.