He explains all the common steps:
- Dump the memory with lime.
- List hidden processes.
- File descriptors opened by the hidden process ( open sockets!).
- Network connections.
- Hooked system callas
At the end of the post, Andre Case makes a complete forensic analysis of the kernel modules and the binaries used to inject the rootkit.