Abstract
Rootkits pose a dilemma in forensic investigations because hackers use them surreptitiously to mislead investigators. This paper analyzes the effectiveness of online and offline information analysis techniques in detecting rootkits and determining the processes and/or files hidden by rootkits. Five common rootkits were investigated using a live analysis tool, five rootkit detection tools (RDTs) and four offline analysis tools. The experimental results indicate that, while live analysis techniques provide a surprising amount of information and offline analysis provides accurate information, RDTs are the best approach for detecting rootkits and hidden processes.
Chapter PDF
Similar content being viewed by others
References
E. Abreu, Hackers get novel defense; the computer did it (http://www.forbes.com/markets/newswire/2003/10/27/rtrll24430.html), 2003.
Aphex, ReadMe.txt (http://www.iamaphex.net), 2006.
J. Butler and S. Sparks, Windows rootkits of 2005: Part two (http://www.securityfocus.com/infocus/1851), 2005.
J. Butler and S. Sparks, Windows rootkits of 2005: Part three (http://www.securityfocus.com/infocus/1854), 2006.
B. Carrier, File System Forensic Analysis, Addison-Wesley, Boston, Massachusetts, 2005.
C. Claycomb, Analysis of Windows Rootkits, M.S. Thesis, Department of Electrical and Computer Engineering, Air Force Institute of Technology, Wright-Patterson Air Force Base, Ohio, 2006.
CMS Consulting, Hidden rootkits in Windows (http://www.task.to/events/presentations/TASK_Hidden_Rootkits_in_Windows.pdf), 2005.
B. Cogswell and M. Russinovich, RootkitRevealer v1.71 (http://www.sysinternals.com/Utilities/RootkitRevealer.html).
K. Dillard, What are user-mode vs. kernel-mode rootkits? (http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid45_gci1086469,00.html), 2005.
E. Florio, When malware meets rootkits, Virus Bulletin, 2005.
Frisk Software International, F-Prot Antivirus Scanner (http://www.f-prot.com/products/home_use/linux).
F-Secure Corporation, Blacklight (http://www.f-secure.com/blacklight/blacklight.html).
Guidance Software, EnCase (v.4) (http://www.guidancesoftware.com).
G. Hoglund and J. Butler, Rootkits: Subverting the Windows Kernel, Addison-Wesley, Boston, Massachusetts, 2005.
Holy Father, Hacker Defender (http://hxdef.org/download.php).
T. Kojm, Clam AntiVirus (http://www.clamav.net).
J. Levine, B. Culver and H. Owen, A methodology for detecting new binary rootkit exploits, Proceedings of the IEEE SouthEastCon, 2003.
J. Levine, J. Grizzard, P. Hutto and H. Owen, A methodology to characterize kernel level rootkit exploits that overwrite the system call table, Proceedings of the IEEE Southeast Con, pp. 25–31, 2004.
M. McDougal, Windows Forensic Toolchest (WFT) (http://www.foolmoon.net/security/wft), 2005.
RKDetector.com, RKDetector v2.0 (http://www.rkdetector.com).
RKDetector.com, RKDetector v2.0 Engine (http://www.rkdetector.com).
Rootkit.com (http://www.rootkit.com/download.php).
J. Rutkowska, Concepts for the Stealth Windows Rootkit (The Chameleon Project) (http://invisiblethings.org/papers/chameleon.concepts.pdf), 2003.
J. Rutkowski, Advanced Windows 2000 rootkit detection (http://hxdef.org/knowhow/rutkowski.pdf), 2003.
J. Rutkowski, Execution path analysis: Finding kernel rootkits (http://doc.bughunter.net/rootkit-backdoor/execution-path.html), 2004.
P. Silberman, FUTo (http://formed.org/?v=3&a=7), 2006.
Simple Nomad, Covering your tracks: Ncrypt and Ncovert, presented at Black Hat USA 2003 (http://www.blackhat.com/html/bh-media-archives/bh-archives-2003.html), 2003.
S. Sparks, Shadow Walker: Raising the bar for rootkit detection, presented at Black Hat USA 2005 (http://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-sparks-butler.pdf), 2005.
Y. Wang, B. Vo, R. Roussev, C. Verbowski and A. Johnson, Strider Ghostbuster: Why it’s a bad idea for stealth software to hide files, Microsoft Research Technical Report, MSR-TR-2004-71, Microsoft Corporation, Redmond, Washington, 2004.
XFocus.net, IceSword (v1.12 and v1.18) (http://www.xfocus.net).
XShadow, Vanquish v0.2.1 (http://www.rootkit.com/vault/xshadoe/readme.txt), 2005.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 International Federation for Information Processing
About this paper
Cite this paper
Todd, A., Benson, J., Peterson, G., Franz, T., Stevens, M., Raines, R. (2007). Analysis of Tools for Detecting Rootkits and Hidden Processes. In: Craiger, P., Shenoi, S. (eds) Advances in Digital Forensics III. DigitalForensics 2007. IFIP — The International Federation for Information Processing, vol 242. Springer, New York, NY. https://doi.org/10.1007/978-0-387-73742-3_6
Download citation
DOI: https://doi.org/10.1007/978-0-387-73742-3_6
Publisher Name: Springer, New York, NY
Print ISBN: 978-0-387-73741-6
Online ISBN: 978-0-387-73742-3
eBook Packages: Computer ScienceComputer Science (R0)