M-unition ≫ Blog Archive ≫ Memory forensics on Windows 7 (x86 and x64) and Windows 2008 x64(情報元のブックマーク数)
メモメモ
Attacks Against Memory Forensic Tools
http://blog.mandiant.com/archives/1459
Brendan Dolan-Gavitt et. al. published a great article in the Proceedings of the ACM Conference on Computer and Communications Security (CCS) [1]. In it, they discuss an attack against memory forensic tools that would cause the tools to be blind to the existence of specially modified processes. As Brendan states in his blog, this attack has been known about for some time and requires a rootkit on the part of the intruder in order to modify the desired process(es). Memoryze has expanded upon their research by modifying the detection algorithm slightly and adding support for all the operating systems Memoryze supports. This work by Dolan-Gavitt, Srivastava, Traynor, and Griffin is sure to motivate change. If you would like to test your existing tools or validate that Memoryze is now resilient, Brendan has made a memory image available for download from his blog.