Detecting and Analysing compromised Firmware in Memory Forensics

Add to your list(s) Download to your calendar using vCal

• Michael Denzel
• Thursday 30 January 2014, 10:00-11:00
• Room 222, School of Computer Science.

If you have a question about this talk, please contact Vincent Cheval.

Previous work showed that Advanced Configuration and Power Interface (ACPI) rootkits can successfully hide from detection. The objective of this thesis is to evaluate whether it is possible to identify these rootkits using memory analysis.

For this, the ACPI Tables were dumped and their content analysed regarding possible rootkit identification methods. In addition, the devices listed in the ACPI Tables were examined concerning their potential usage in forensics.

The results show that it is possible to access the tables and included Advanced Configuration and Power Interface Source Language (ASL) programs with memory analysis. Furthermore, these programs can be scanned afterwards for memory accesses to kernel space, which potentially reveal a rootkit.

As a proof, automatic tools to extract and scan the ACPI Tables were developed. Subsequently, a sample-rootkit was created and tested against the tools which correctly identified the program as “critical”.

Even with the limitations of dead memory analysis, the scanning technique is very promising and identified threats usually indicate corrupted firmware – either by errors or malicious code.

Keywords: Advanced Configuration and Power Interface, ACPI , rootkit, memory forensics, compromised firmware

This talk is part of the Computer Security Seminars series.

This talk is included in these lists:

• Computer Science Departmental Series
• Computer Science Distinguished Seminars
• Computer Security Seminars
• Room 222, School of Computer Science
• computer sience

Note that ex-directory lists are not shown.