Analysis of Tools for Detecting Rootkits and Hidden Processes
نویسندگان
چکیده
Rootkits pose a dilemma in forensic investigations because hackers use them surreptitiously to mislead investigators. This paper analyzes the effectiveness of online and offline information analysis techniques in detecting rootkits and determining the processes and/or files hidden by rootkits. Five common rootkits were investigated using a live analysis tool, five rootkit detection tools (RDTs) and four offline analysis tools. The experimental results indicate that, while live analysis techniques provide a surprising amount of information and offline analysis provides accurate information, RDTs are the best approach for detecting rootkits and hidden processes.
منابع مشابه
Exploiting the Rootkit Paradox with Windows Memory Analysis
Rootkits are malicious programs that silently subvert an operating system to hide an intruder's activities. Although there are a number of tools designed to detect rootkits, these programs are competing with the rootkit for system resources and allowing the rootkit to actively evade detection. By taking a memory image of the system, a forensic examiner can conduct a more thorough search for roo...
متن کاملIdentifying Rootkit Infections Using a New Windows Hidden-driver-based Rootkit
It can be observed that most sophisticated kernel mode rootkits implement hiding tasks via loading drivers in Windows. Also, more and more malware writers are taking advantage of rootkits to shield their illegal activities. Therefore, the role of a detector for effectively detecting Windows driver-hidden rootkits is becoming extremely important. In our previous work, we focused on developing a ...
متن کاملDetecting and Administrating Hide Processes in Linux System
Hiding processes in Linux system is an essential part of rootkits actions and malicious program. So, it is very important to monitor and administrate the system hidden processes to ensure the safety and reliability of the computer system. Also, process administration can be a vital factor in determining the stability of a running system. The aim of this research is to detect hide processes in L...
متن کاملDynamic Detection of Process-Hiding Kernel Rootkits
Stealth rootkits that hide themselves on victim systems pose a major threat to computer systems. They are usually evasive as they use sophisticated stealth techniques to conceal files, processes, kernel modules, and other types of objects, making it extremely challenging to detect their presence in the victim system. However, current detection techniques are mostly system-specific and ineffecti...
متن کاملApplying Memory Forensics to Rootkit Detection
Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as...
متن کامل