Detecting Rootkits
If a kernel-mode rootkit is suspected, the entire system cannot be trusted. Since the core of the operating system, the kernel, has been subverted and compromised, you have no idea if the tools you are using are providing you with correct information. However, how do you know if you've been infected with a rootkit? Suspecting it doesn't make it so, and IT managers need hard facts on which to base their decisions. What facts does the administrator or investigator have that will allow him or her to justify taking the CEO's workstation away or taking down the transaction processing server (or servers) at a cost of thousands of dollars per minute?
The AFX Windows Rootkit 2003 can be easily detected by the presence of the two DLL ...
Get Windows Forensics and Incident Recovery now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.