メモメモ

Attacks Against Memory Forensic Tools
Brendan Dolan-Gavitt et. al. published a great article in the Proceedings of the ACM Conference on Computer and Communications Security (CCS) [1]. In it, they discuss an attack against memory forensic tools that would cause the tools to be blind to the existence of specially modified processes. As Brendan states in his blog, this attack has been known about for some time and requires a rootkit on the part of the intruder in order to modify the desired process(es). Memoryze has expanded upon their research by modifying the detection algorithm slightly and adding support for all the operating systems Memoryze supports. This work by Dolan-Gavitt, Srivastava, Traynor, and Griffin is sure to motivate change. If you would like to test your existing tools or validate that Memoryze is now resilient, Brendan has made a memory image available for download from his blog.

http://blog.mandiant.com/archives/1459