Accession Number:

AD1004348

Title:

Memory Analysis of the KBeast Linux Rootkit: Investigating Publicly Available Linux Rootkit Using the Volatility Memory Analysis Framework

Descriptive Note:

Technical Report

Corporate Author:

Defence Research and Development Canada - Valcartier Quebec, Quebec Canada

Personal Author(s):

Report Date:

2015-06-01

Pagination or Media Count:

90.0

Abstract:

This report is the first in a series examining Linux Volatility-specific memory malware-based analysis techniques. With minimal use of scanner-based technologies, the author will demonstrate what to look for while conducting Linux-based memory investigations using Volatility. This investigation consists of a memory image infected by the KBeast rootkit that will be analysed using Volatility. Through the proper application of various Volatility plugins combined with an in-depth knowledge of the Linux operating system, this case study can provide guidance to other investigators in their own Linux-based memory analyses.

Subject Categories:

Distribution Statement:

APPROVED FOR PUBLIC RELEASE