An article over on ZDNet talks about Joanna Rutkowska’s Black Hat presentation on her rootkit research and how rootkits may foil hardware memory retrieval for auditing. A memory-obfuscating rootkit will complicate research and may call into question forensic evidence, depending on the court case and what activity is alleged.
When a user is accused of performing a malicious or illegal (in law) action on a computer, one defense seen in the courtroom involves a computer under the influence of a virus or direct manipulation an outsider. Rootkits enable both scenarios by providing an interface permitting another actor to circumvent the security context of the OS, or indeed perform functions outside of the OS audit and data logging facilities. It can act under the guise of the legitimate user, or it can act in secret.
I won’t mention any specific instances, although a diligent reader can find them all over the web, but to a security researcher or forensic examiner the system RAM provides a good place to look for malicious activity, since the state of the machine at runtime is reflected in the RAM. New developments in exploiting peripheral processors and memories (such as the graphics processor and it’s firmware storage,) provide more places to look, but the rest of the world moves slowly and most examiners will still rely on a copy of the hard disks, a “live” software memory dump if possible, and if available, a hardware dump of the memory (to avoid interference by malware on the machine.)
Joanna’s research has shown that the memory may become unreliable using current retrieval methods. This is but one more step in the cat and mouse game of computer security, where the complex systems comprised of the work of many disjoint companies come together with many seams to poke through.
Check out the article here: http://blogs.zdnet.com/security/?p=109 including her presentation slides.
Great stuff, good to know, and Joanna’s work is impressive.