AM A Forensic Study of the Effectiveness of Selected Anti-Virus Products Against SSDT Hooking

For Microsoft Windows Operating Systems, both anti-virus products and kernel rootkits often hook the System Service Dispatch Table (SSDT). This research paper investigates the interaction between these two in terms of the SSDT. To investigate these matters, we extracted digital evidence from volatile memory, and studied that evidence using the Volatility framework. Due to the diversity in detection techniques used by the anti-virus products, and the diversity of infection techniques used by rootkits, our investigation produced diverse results, results that helped us to understand several SSDT hooking strategies, and the interaction between the selected anti-virus products and the rootkit samples.