APPLYING MEMORY FORENSICS TO ROOTKIT DETECTION

Abstract

Igor Korkin 1 , Ivan Nesterov 2

1 National Research Nuclear University Moscow Engineering & Physics Institute (NRNU MEPhI), Moscow, 115409, Russia

2 Moscow Institute of Physics and Technology (MIPT), Moscow Region 141700, Russia

# Corresponding author: igor.korkin@gmail.com

PDF-version and slides - https://www.academia.edu/7380266/Applying_Memory_Forensics_to_Rootkit_Detection

ABSTRACT

Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools.