APPLYING MEMORY FORENSICS TO ROOTKIT DETECTION
Igor Korkin 1 , Ivan Nesterov 2
1 National Research Nuclear University Moscow Engineering & Physics Institute (NRNU MEPhI), Moscow, 115409, Russia
2 Moscow Institute of Physics and Technology (MIPT), Moscow Region 141700, Russia
# Corresponding author: firstname.lastname@example.org
PDF-version and slides - https://www.academia.edu/7380266/Applying_Memory_Forensics_to_Rootkit_Detection
Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools.
Memory dump is used in various aspects of information security. It can be used for controlling virtual memory content while program is executed, running and after its close, is also typical for sophisticated malware, reverse-engineering due to it provides code and data in virtual memory for research and analysis. Memory dump is also used in computer forensic examination processes. A fairly common problem is to obtain and analyze a memory dump. Both individual professionals J.Stuttgen, M.Cohen, B.Schatz, J.Okolica, J.Rutkowska, J.Butler, L.Cavallaro, L.Milkovic and entire international companies such as Microsoft, WindowsSCOPE, Guidance Software, Mandiant Corporation, Volatile Systems LLC tried to deal with this problem. A number of research theses are devoted to these issues [1-4].
It has also been discussed during various international conferences like BlackHat, DefCon, Digital Forensic Research Workgroup (DFRWS) Conference, ADFSL Conference on Digital Forensics, Security and Law, Open Source Digital Forensics Conference and workshops such as International Workshop on Digital Forensics (WSDF), SANS Windows Memory Forensics Training (FOR526), Open Memory Forensics Workshop (OMFW) by Volatile Systems.
This article presents a new memory dumping and analysis system which has several advantages and gives an example of how to use it for the kernel-mode rootkits and hidden malware detection. Moreover, this system can be applied in all mentioned above areas. The remainder of the paper is organized as follows.
Section 2 is devoted to the most popular software and hardware approaches for acquiring memory their analysis, including a new low-level approach. Memory dump can be obtained by executing a code that is running in user mode, kernel mode, VMX-root mode, system management mode and low-level AMT code which is used by an independent processor. These approaches can dump memory of single process address space or copy physical Random Access Memory (RAM). Tools and approaches focused on the mentioned code modes are described. As Microsoft Windows operating system is the most popular now it is essential to focus on OS Windows family of tools. However, similar conclusions could be made about Unix-based tools and approaches.
Section 3 contains a description of author’s memory dump acquisition approach. The idea is based on walking through the page tables and saving each of them with additional information, such as virtual page addresses and its offsets in the result dump file. This approach reveals good efficiency when each page is not separately saved to HDD, but is buffered and archived before it is saved. Additional dump file encryption protects it from modification while it is being saved to HDD. This approach uses memory paging in protected mode and therefore is operating system independent and is applicable on Linux or Mac OS X.
In section 4 hidden malware is observed. The current available detection methods and tools are analyzed with the focus on signature detection of hidden drivers as the most common problem. An author’s Dynamic Bit Signature (DBS) and Rating Point Inspection (RPI) approaches for processes’ and drivers’ detection and comparative analysis are briefly presented.
Section 5 contains main conclusions and further research directions.