Applying Memory Forensics to Rootkit Detection

TL;DR

This paper introduces MASHKA, a resilient memory forensic system designed to detect kernel rootkits and counter anti-forensic techniques, improving reliability and effectiveness in digital memory analysis.

Contribution

The paper presents MASHKA, a novel memory forensic tool resilient to anti-forensic techniques and capable of detecting kernel rootkits, addressing limitations of existing methods.

Findings

MASHKA effectively detects kernel rootkits.

The system resists common anti-forensic techniques.

Analysis of popular anti-rootkit tools demonstrates MASHKA's robustness.

Abstract

Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system - Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools.