Meant to send this to the list not just the OP. -------- Original Message -------- Subject: Re: [Vol-users] BSOD while collecting a memory image Date: Sun, 11 Mar 2012 11:07:54 -0400 From: George M. Garner Jr. <ggarner_online(a)gmgsystemsinc.com> To: Mike Lambert <dragonforen(a)hotmail.com> Mike, Don't know about ALL imaging programs. There is anecdotal evidence of malware that stops some imaging programs and then allows others to run. Smart malware doesn't stop anything from running. Everything appears to be normal. Welcome to the matrix. Malware has for a long time sought to identify "white hat" software. Until recently this has been almost exclusively based on the file names of common anti-rootkit and IR packages. You could effectively defeat the anti-forensic techniques simply by renaming your tools. More recently, however, rootkits have begun to use other information to identify IR tools, in particular, the certificate info for signed PE executables. This is much more problematic. Particularly with the widespread adoption of 64-bit Windows, all device drivers must be signed and the signature can be used to identify your tools in an unambiguous way. There is a paper that will be published in the near future on developing a blackhat scanner. If you investigate sophisticated malware you should be thinking about getting your own code signing certificate(s). I believe that Sinowal was/is a "public" rootkit that attempts to remove itself from memory during hibernation. Whether a rootkit successfully removes all traces of itself from a hibernation file is another matter. Regards, g.