This paper may be of interest to the list: http://events.ccc.de/congress/2012/Fahrplan/attachments/2231_Defeating%20Windows%20memory%20forensics.ppt.

It is nice to see someone looking critically at the subject matter, even if in an over-simplistic manner.  The gist of the article is that you can easily scrub evidence from a memory dump as it is being written (in plain text) to disk or to the net.  Duh!

A few comments on the author's conclusions:


1. Acquisition tools should utilize drivers correctly!

Duh!

2. Use hardware acquisition tools, e.g. firewire.

However, hardware-based acquisition also can be defeated.  At a minimum you can program an upper limit on the memory address that the firewire is allowed to access and then place your rootkit above that address. Most new computer systems have more than 4 GiB of memory nowadays.

3. Use crash dumps (native!) instead of raw dumps.

Should maybe introduce the author to all those rootkits (e.g. Sinowal) that remove themselves from crashdump as it is being written.

4. Perform anti-rootkit scanning before acquisition?

Easier said than done.  Just ask A/V industry.

5. Live forensic is inherently insecure!

Duh!  Real question is not whether or not you can cheat memory acquisition software.  It is whether you can cheat memory acquisition software and have no one know about it.  Knowing that a system is infected is 90% of the battle even if you don't know how.  Once I know that a system is infected I will find the rootkit.
_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilesystems.com/mailman/listinfo/vol-users