Exploiting the Rootkit Paradox with Windows Memory Analysis
暂无分享,去创建一个
Rootkits are malicious programs that silently subvert an operating system to hide an intruder's activities. Although there are a number of tools designed to detect rootkits, these programs are competing with the rootkit for system resources and allowing the rootkit to actively evade detection. By taking a memory image of the system, a forensic examiner can conduct a more thorough search for rootkits and even without discovering one directly, infer the presence of one. This paper explores how an examiner can create such a memory image and use the inherent properties of rootkits to find them in those memory images. Background
[1] Joe Grand,et al. A hardware-based memory acquisition procedure for digital investigations , 2004, Digit. Investig..
[2] Rossettoecioccolato rossetoecioccolato@yahoo Com. PRELIMINARY ANALYSIS OF 2005 DFRWS FORENSIC CHALLENGE , 2005 .