Memory Analysis of the KBeast Linux Rootkit: Investigating Publicly Available Linux Rootkit Using the Volatility Memory Analysis Framework

Abstract

This report is the first in a series examining Linux Volatility-specific memory malware-based analysis techniques. With minimal use of scanner-based technologies, the author will demonstrate what to look for while conducting Linux-based memory investigations using Volatility. This investigation consists of a memory image infected by the KBeast rootkit that will be analysed using Volatility. Through the proper application of various Volatility plugins combined with an in-depth knowledge of the Linux operating system, this case study can provide guidance to other investigators in their own Linux-based memory analyses.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jun 01, 2015
Accession Number
AD1004348

Entities

People

  • Richard Carbone

Organizations

  • Defence Research and Development Canada

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Case Studies
  • Central Processing Units
  • Classification
  • Computational Forensics
  • Computer Program Documentation
  • Computer Programs
  • Computers
  • Detection
  • Engineering
  • Hash Tables
  • National Security
  • Network Protocols
  • Operating Systems
  • Reverse Engineering
  • Security
  • Shell Scripts
  • Virtual Machines

Readers

  • Brain and Cognitive Science; Experimental Psychology; Cognitive Neuroscience
  • Cybersecurity.
  • Theoretical Analysis.

Technology Areas

  • Cyber