Memory Forensics of Windows Kernel and User mode Rootkits(WIP) [9D6-A94]
Malware is becoming more sophisticated every year. As forensic and security professionals pioneer new heuristics for discovering malware, malware authors find new ways to remain hidden. Rootkits are now included as modules in other malware to prevent detection and removal. Rootkits operate in either kernel-mode or user-mode. Rootkits operating in kernel space have more control over the infected system, but operating in user space allows the rootkit to function without needing special permissions. The purpose of this research is to identify the two types of rootkit in memory.