Lab4

#Rootkits

Assigned: May 6th

Due: May 18th by 11:59 PM PST

Requirements

  • Discover and understand rootkits on a memory image

Complete the following by writing a thorough report on the actions you took and the assumptions you made.


You are an incident responder at 0xC0ff33, Inc and came across a machine that appeared to have a rootkit installed on it. Your goal is to use the memory sample to figure out how the rootkit achieved its goals! Use a combination of Volatility plugins, IDA, or whatever tools you feel would be useful to understand the rootkit.

The memory sample can be obtained here

Lab will be graded on the following criteria

  • Used a variety of plugins and described accurately what you learned about the system through them
  • Discovered the malicious driver(s) and/or executable(s) the rootkit used/left behind.
  • Timelining
  • Utilized the 6 steps of memory investigations

I am looking for an analysis of the rootkit.. this one is open ended and will be graded based on your current progress through the term. I want an in depth analysis of the memory sample presented. Using additional tools aside from Volatility, such as IDA, will earn you more valuable valueless prize tokens. Do not just send me pictures or results of tools… elaborate.


Turn in by e-mail to [email protected].