APPLYING MEMORY FORENSICS TO ROOTKIT DETECTION
Igor Korkin 1 , Ivan Nesterov 2
1 National Research Nuclear University Moscow Engineering & Physics Institute (NRNU MEPhI), Moscow, 115409, Russia
2 Moscow Institute of Physics and Technology (MIPT), Moscow Region 141700, Russia
# Corresponding author: email@example.com
PDF-version and slides - https://www.academia.edu/7380266/Applying_Memory_Forensics_to_Rootkit_Detection
Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools.
Memory dump is used in various aspects of information security. It can be used for controlling virtual memory content while program is executed, running and after its close, is also typical for sophisticated malware, reverse-engineering due to it provides code and data in virtual memory for research and analysis. Memory dump is also used in computer forensic examination processes. A fairly common problem is to obtain and analyze a memory dump. Both individual professionals J.Stuttgen, M.Cohen, B.Schatz, J.Okolica, J.Rutkowska, J.Butler, L.Cavallaro, L.Milkovic and entire international companies such as Microsoft, WindowsSCOPE, Guidance Software, Mandiant Corporation, Volatile Systems LLC tried to deal with this problem. A number of research theses are devoted to these issues [1-4].
It has also been discussed during various international conferences like BlackHat, DefCon, Digital Forensic Research Workgroup (DFRWS) Conference, ADFSL Conference on Digital Forensics, Security and Law, Open Source Digital Forensics Conference and workshops such as International Workshop on Digital Forensics (WSDF), SANS Windows Memory Forensics Training (FOR526), Open Memory Forensics Workshop (OMFW) by Volatile Systems.
This article presents a new memory dumping and analysis system which has several advantages and gives an example of how to use it for the kernel-mode rootkits and hidden malware detection. Moreover, this system can be applied in all mentioned above areas. The remainder of the paper is organized as follows.
Section 2 is devoted to the most popular software and hardware approaches for acquiring memory their analysis, including a new low-level approach. Memory dump can be obtained by executing a code that is running in user mode, kernel mode, VMX-root mode, system management mode and low-level AMT code which is us