Analyzing Bootkit and Rootkit Samples

When to Use

• A system shows signs of compromise that persist through OS reinstallation
• Antivirus and EDR are unable to detect malware despite clear evidence of compromise
• UEFI Secure Boot has been disabled or shows integrity violations
• Memory forensics reveals rootkit behavior (hidden processes, hooked system calls)
• Investigating nation-state level threats known to deploy bootkits (APT28, APT41, Equation Group)

Do not use for standard user-mode malware; bootkits and rootkits operate at a fundamentally different level requiring specialized analysis techniques.

Prerequisites