Visualizing Indicators of Rootkit Infections in Memory Forensics

Research in the area of memory forensics has been flourishing over the last years, and powerful analysis frameworks such as Volatility have been developed. While these frameworks permit examining a forensic memory snapshot in great detail, they mainly aim at experienced investigators with a thorough knowledge of operating system internals. On the other hand, result correlation and interpretation is especially demanding for personnel with only marginal forensic expertise as they are often found in IT departments of smaller- and medium-sized enterprises. This task becomes even more challenging when attempting to detect traces of sophisticated malicious applications such as rootkits. In this paper, we present rkfinder, a plug-in for the well-known forensic framework DFF, that integrates major capabilities of Volatility into an intuitive and easy-to-use graphical user interface. Rkfinder generates an abstract, tree-like view of the system state, implements checks that are capable of revealing inconsistencies, and automatically highlights suspicious objects that may indicate the presence of a threat. Thereby, potential sources of a system infection are better visible and can be better addressed in the course of incident response.