University of Birmingham > Talks@bham > Computer Security Seminars > Detecting and Analysing compromised Firmware in Memory Forensics

Detecting and Analysing compromised Firmware in Memory Forensics

Add to your list(s) Download to your calendar using vCal

If you have a question about this talk, please contact Vincent Cheval.

Previous work showed that Advanced Configuration and Power Interface (ACPI) rootkits can successfully hide from detection. The objective of this thesis is to evaluate whether it is possible to identify these rootkits using memory analysis.

For this, the ACPI Tables were dumped and their content analysed regarding possible rootkit identification methods. In addition, the devices listed in the ACPI Tables were examined concerning their potential usage in forensics.

The results show that it is possible to access the tables and included Advanced Configuration and Power Interface Source Language (ASL) programs with memory analysis. Furthermore, these programs can be scanned afterwards for memory accesses to kernel space, which potentially reveal a rootkit.

As a proof, automatic tools to extract and scan the ACPI Tables were developed. Subsequently, a sample-rootkit was created and tested against the tools which correctly identified the program as “critical”.

Even with the limitations of dead memory analysis, the scanning technique is very promising and identified threats usually indicate corrupted firmware – either by errors or malicious code.

Keywords: Advanced Configuration and Power Interface, ACPI , rootkit, memory forensics, compromised firmware

This talk is part of the Computer Security Seminars series.

Tell a friend about this talk:

This talk is included in these lists:

Note that ex-directory lists are not shown.

 

Talks@bham, University of Birmingham. Contact Us | Help and Documentation | Privacy and Publicity.
talks@bham is based on talks.cam from the University of Cambridge.