Handout B: Rootkit Forensic Artifacts

Hardware-assisted memory enumeration report from HANSEN-SAP-01 completed by security specialist at BioGenix Solutions.

---

Memory Scan Output, Hidden Process Comparison, and Server Status

Memory Scan Report -- HANSEN-SAP-01
Scan Method: Hardware-Assisted Enumeration (Hypervisor DKOM check)
Timestamp: 2026-03-10 08:32:14 UTC

Finding: Hidden Kernel Module Detected
Load Address: 0xFFFFF80012A40000
Size: 147,456 bytes
Signing Certificate: CaliSync Instrumentation GmbH (SN 4A9F02B1)
Certificate Status: REVOKED 2025-11-14
Technique: Direct Kernel Object Manipulation (DKOM)
Hook: NtQuerySystemInformation -- filtering own entries from process list

---

Process List Comparison
Standard tasklist.exe:   87 processes
Hardware enumeration:    92 processes
Hidden PIDs: 4028, 4031, 4038, 4041, 4099
PID 4028: ESTABLISHED connection to 203.0.113.44:443

---

HANSEN-SAP-01 Server Status
Scheduled decommission:  2024-09-01
Current date:            2026-03-10
Overdue:                 18 months
Network connectivity:    ACTIVE
Security patch level:    Not updated since 2024-08-15
SOC monitoring:          EXCLUDED (decommission-backlog exclusion)
ITSM blocker:            ITSM-29847 (open, last updated 2024-11-02)

IM NOTES (Do Not Show to Players):

• The DKOM technique explains why all prior disk scans returned clean – the rootkit intercepted the queries before they could reveal its presence.
• The revoked certificate predates the CaliSyncPro update deployment by 4 months – a live OCSP check at deployment time would have blocked the installation.
• HANSEN-SAP-01 was excluded from active SOC monitoring as a decommission-backlog system, removing the last detection layer.

IM Facilitation Notes

• Release when participants ask for technical evidence from HANSEN-SAP-01 or ask why disk scans were clean.
• Use this handout to drive discussion on kernel-level persistence, decommissioning backlog risk, and memory-based vs disk-based detection.