Memory Forensics of Windows Kernel and User mode Rootkits(WIP)
Primary Investigator:
Marcus Thompson
Carson Harmon
Abstract
Malware is becoming more sophisticated every year. As forensic and security professionals pioneer
new heuristics for discovering malware, malware authors find new ways to remain hidden. Rootkits are
now included as modules in other malware to prevent detection and removal. Rootkits operate in either
kernel-mode or user-mode. Rootkits operating in kernel space have more control over the infected
system, but operating in user space allows the rootkit to function without needing special permissions.
The purpose of this research is to identify the two types of rootkit in memory.