Exploiting the Rootkit Paradox with Windows Memory Analysis
J. Kornblum
International Journal of Digital Evidence

Paper (pdf)     Bibtex

Rootkits are malicious programs that silently subvert an operating system to hide an intruder's activities. Although there are a number of tools designed to detect rootkits, these programs are competing with the rootkit for system resources and allowing the rootkit to actively evade detection. By taking a memory image of the system, a forensic examiner can conduct a more thorough search for rootkits and even without discovering one directly, infer the presence of one. This paper explores how an examiner can create such a memory image and use the inherent properties of rootkits to find them in those memory images.

Home     Publications     Presentations     Utilities     Tools     Blog