Applying Memory Forensics to Rootkit Detection
This addresses the need for more resilient memory forensics tools in digital forensics, though it appears incremental as it builds on existing approaches.
The paper tackles the problem of detecting rootkits that manipulate kernel structures by introducing MASHKA, a memory forensic system resilient to anti-forensic techniques, and applies it for rootkit detection and analysis of anti-rootkit tools.
Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system - Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools.