论文信息 - Towards Reliable Rootkit Detection in Live Response

Towards Reliable Rootkit Detection in Live Response

Within digital forensics investigations, the term Live Response refers to all activities that collect evidence on live systems. Though Live Response in general alters the state of the suspect system, it is becoming increasingly popular because it can recover valuable information that is lost in normal investigations that power down a suspect computer and perform analysis on its hard disk image. Current best practices for Live Response however fail to take into account the possibility of false information being gathered due to the presence of rootkits on the system. In this paper we propose to establish rootkit detection as a standard part of Live Response. We argue that the credibility of the recovered information can be substantially increased by regular empirical experiments using known rootkits and rootkit detectors. We present the results of such an experiment in this paper showing that a redundant combination of three tools can discover all rootkits which were publicly available as of June 2006.

Felix C. Freiling | Bastian Schwittay

[1] Keith J. Jones,et al. Real Digital Forensics: Computer Security and Incident Response , 2005 .

[2] Mark Russinovich,et al. Microsoft Windows Internals : Microsoft Windows Server 2003, Windows XP, and Windows 2000 , 2005 .