Bill Blunden: Anti-Forensics: The Rootkit Connection
Augustus Ballroom 5-6
About: Conventional rootkits have focused primarily on defeating forensic live incident response and network monitoring using a variety of concealment strategies (e.g. detour patching, covert channels, etc). However, the tools required to survive a post-mortem analysis of secondary storage, which are just as vital in the grand scheme of things, recently don't seem to have garnered the same degree of coverage. In this presentation, the speaker will examine different approaches to persisting a rootkit and the associated anti-forensic tactics that can be employed to thwart an investigator who's performing an autopsy of a disk image.