http://arstechnica.com/tech-policy/news ... nment.ars/
- could you reliably take a snapshot of the contents of RAM and use the snapshot for analysis? I mean, I imagine you could shelve all new calls to memory while you write its contents to a file somewhere, right? (obviously, at the expense of having a completely unresponsive computer while this is going on, and interfering with several other processes during the operation, but if you're this concerned about finding and removing a rootkit, isn't that your priority? )
- are the images of the system processes generally static or highly variable?
- if you have a rootkit that deleted all its own files from the disk after it was loaded into memory (to avoid detection), wouldn't pulling the plug basically remove the rootkit in its entirety?