page-021

2 Methodology

The Anti-forensics Connection

While 1 was writing the first edition, it hit me that rootkits were anti-forensic

in nature. After all, as The Grugq has noted, anti-forensics is geared to¬

ward limiting both the quantity and quality of forensic data that an intruder

leaves behind. Stealth technology is just an instance of this approach: You're

allowing an observer as little indication of your presence as possible, both at

run time and after the targeted machine has been powered down. In light of

this, I've reorganized the book around anti-forensics so that you can see how

rootkits fit into the grand schemc of things.

2 Methodology_

Stealth technology draws on material that resides in several related fields of

investigation (e.g., system architecture, reversing, security, etc.). In an effort

to maximize your return on investment (ROI) with regard to the effort that

you spend in reading this book, I've been forced to make a series of decisions

that define the scope of the topics that I cover. Specifically, I've decided to:

■ Focus on anti-forensics, not forensics.

■ Target the desktop.

■ Put an emphasis on building custom tools.

■ Include an adequate review of prerequisite material.

■ Demonstrate ideas using modular examples.

Focus on Anti-forensics, Not Forensics

A book that describes rootkits could very well end up being a book on foren¬

sics. Naturally, I have to go into some level of detail about forensics. Other¬

wise, there's no basis from which to talk about anti-forensics. At the same

time, if 1 dwell too much on the "how" and "why" of forensics (which is

awfully tempting, because the subject area is so rich), I won't have any room

left for the book's core material. Thus, I decided to touch on the basic dance

steps of forensic analysis only briefly as a launch pad to examine counter-

measures.

I'm keenly aware that my coverage may be insufficient for some readers. For

those who desire a more substantial treatment of the basic tenets of forensic

analysis, there are numerous resources available that delve deeper into this

topic.