Anti-Forensic Rootkits – Darren Bilby

March 7, 2008

Anti-Forensic Rootkits – Darren Bilby
Incident response and digital forensics are fast moving fields which have made significant progress over the last couple of years. This means new techniques and tools, one of these is live forensic capture. Live forensics capture means taking an image of a machine while the machine is still running, this is brilliant for the investigators and is becoming common practice.Unfortunately the rootkit premise of “whoever hooks lowest wins” kicks in. So, despite assurances from major forensics software vendors it is possible to give an investigator seemingly valid but completely spurious data.

To prove this isn’t just theoretical (as has been claimed) I created an implementation called “ddefy” which is a kernel mode anti-forensic rootkit for Windows systems. This talk will be relatively low level, covering NTFS internals, NT storage architecture, Windows kernel rootkit methods, forensic techniques and their corresponding anti-forensic counterpart. Check out the Powerpoint presentation here. Note neither source nor binaries have been made available for this.

Darren Bilby is a principal consultant at and is currently based in Auckland, New Zealand. Darren has worked in a variety of places from Linux development houses to banks. When he isn’t performing intrusion testing for clients, he is regularly involved in incident response in both UNIX and Windows environments and is technical lead for the CSIRT team. This means bit wrangling with all forms of custom and targeted malware, and gathering evidence for presentation in court.
BR> He is an active researcher and codesmith and his current projects include new forensic and anti-forensic techniques as well as VoIP hacking tools.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: