![]() |
![]() |
University of Birmingham > Talks@bham > Computer Security Seminars > Detecting and Analysing compromised Firmware in Memory Forensics
Detecting and Analysing compromised Firmware in Memory ForensicsAdd to your list(s) Download to your calendar using vCal
If you have a question about this talk, please contact Vincent Cheval. Previous work showed that Advanced Configuration and Power Interface (ACPI) rootkits can successfully hide from detection. The objective of this thesis is to evaluate whether it is possible to identify these rootkits using memory analysis. For this, the ACPI Tables were dumped and their content analysed regarding possible rootkit identification methods. In addition, the devices listed in the ACPI Tables were examined concerning their potential usage in forensics. The results show that it is possible to access the tables and included Advanced Configuration and Power Interface Source Language (ASL) programs with memory analysis. Furthermore, these programs can be scanned afterwards for memory accesses to kernel space, which potentially reveal a rootkit. As a proof, automatic tools to extract and scan the ACPI Tables were developed. Subsequently, a sample-rootkit was created and tested against the tools which correctly identified the program as “critical”. Even with the limitations of dead memory analysis, the scanning technique is very promising and identified threats usually indicate corrupted firmware – either by errors or malicious code. Keywords: Advanced Configuration and Power Interface, ACPI , rootkit, memory forensics, compromised firmware This talk is part of the Computer Security Seminars series. This talk is included in these lists:
Note that ex-directory lists are not shown. |
Other listshttp://talks.bham.ac.uk/show/index/1942 Birmingham Popular Maths Lectures Artificial Intelligence and Natural Computation seminarsOther talksTBA TBA The tragic destiny of Mileva Marić Einstein Quantum Sensing in Space TBA TBC |