Towards Reliable Rootkit Detection in Live Response
نویسندگان
چکیده
Within digital forensics investigations, the term Live Response refers to all activities that collect evidence on live systems. Though Live Response in general alters the state of the suspect system, it is becoming increasingly popular because it can recover valuable information that is lost in normal investigations that power down a suspect computer and perform analysis on its hard disk image. Current best practices for Live Response however fail to take into account the possibility of false information being gathered due to the presence of rootkits on the system. In this paper we propose to establish rootkit detection as a standard part of Live Response. We argue that the credibility of the recovered information can be substantially increased by regular empirical experiments using known rootkits and rootkit detectors. We present the results of such an experiment in this paper showing that a redundant combination of three tools can discover all rootkits which were publicly available as of June 2006.
منابع مشابه
Timely Rootkit Detection During Live Response
The ever evolving nature of the cyber domain presents a unique set of challenges for today’s forensic analysts. One such challenge comes in the form of programs called rootkits. These programs attempt to provide stealth to an attacker by manipulating a computer’s operating system. The surreptitious environment these programs create increases the level of difficulty and the time that it takes to...
متن کاملAnalysis of Tools for Detecting Rootkits and Hidden Processes
Rootkits pose a dilemma in forensic investigations because hackers use them surreptitiously to mislead investigators. This paper analyzes the effectiveness of online and offline information analysis techniques in detecting rootkits and determining the processes and/or files hidden by rootkits. Five common rootkits were investigated using a live analysis tool, five rootkit detection tools (RDTs)...
متن کاملTool review - remote forensic preservation and examination tools
Forensic tools are emerging to help digital investigators preserve evidence on live, remote systems. These tools are applying the precepts of digital forensics to incident response, enterprise policy enforcement, and electronic data discovery. This paper discusses the strengths and shortcomings of ProDiscover IR and EnCase Enterprise Edition in the context of the overall digital investigation p...
متن کاملFast User-Mode Rootkit Scanner for the Enterprise
User-mode resource hiding through API interception and filtering is a well-known technique used by malware programs to achieve stealth. Although it is not as powerful as kernel-mode techniques, it is more portable and reliable and, as a result, widely used. In this paper, we describe the design and implementation of a fast scanner that uses a cross-view diff approach to detect all user-mode hid...
متن کامل