CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
CERIAS Logo
Purdue University
Center for Education and Research in Information Assurance and Security

Reports and Papers Archive


Browse All Papers »       Submit A Paper »

Convicted by Memory: Automatically Recovering Spatial-Temporal Evidence from Memory Images

Brendan Dominic Saltaformaggio

Memory forensics can reveal “up to the minute” evidence of a device’s usage, often without requiring a suspect’s password to unlock the device, and it is oblivious to any persistent storage encryption schemes, e.g., whole disk encryption. Prior to my work, researchers and investigators alike considered data-structure recovery the ultimate goal of memory image forensics. This, however, was far from sufficient, as investigators were still largely unable to understand the content of the recovered evidence, and hence efficiently locating and accurately analyzing such evidence locked in memory images remained an open research challenge. In this dissertation, I propose breaking from traditional data-recovery-oriented forensics, and instead I present a memory forensics framework which leverages pro- gram analysis to automatically recover spatial-temporal evidence from memory im- ages by understanding the programs that generated it. This framework consists of four techniques, each of which builds upon the discoveries of the previous, that repre- sent this new paradigm of program-analysis-driven memory forensics. First, I present DSCRETE, a technique which reuses a program’s own interpretation and rendering logic to recover and present in-memory data structure contents. Following that, VCR developed vendor-generic data structure identification for the recovery of in-memory photographic evidence produced by an Android device’s cameras. GUITAR then re- alized an app-independent technique which automatically reassembles and redraws an app’s GUI from the multitude of GUI data elements found in a smartphone’s memory image. Finally, different from any traditional memory forensics technique, ix RetroScope introduced the vision of spatial-temporal memory forensics by retarget- ing an Android app’s execution to recover sequences of previous GUI screens, in their original temporal order, from a memory image. This framework, and the new program analysis techniques which enable it, have introduced encryption-oblivious forensics capabilities far exceeding traditional data-structure recovery.

Added 2017-02-16

Rating Maintenance Phase Program Document

National Computer Security Association
Added 2017-01-19

Guidelines for Formal Verification Systems

National Computer Security Association
Added 2017-01-19

A Guide to Understanding Trusted Distribution in Trusted Systems

National Computer Security Association
Added 2017-01-19

A Guide to Understanding Design Documentation in Trusted Systems

National Computer Security Association
Added 2017-01-19

A Guide to Understanding Configuration Management in Trusted Sytems

National Computer Security Association
Added 2017-01-19

Trusted Network Interpretation

National Computer Security Association
Added 2017-01-19

A Guide to Understanding Security Modeling in Trusted Systems

National Computer Security Association
Added 2017-01-10

A Guide to Understanding Object Reuse in Trusted Systems

National Computer Security Association
Added 2017-01-10

A Guide to Understanding Discretionary Access Control in Trusted Systems

National Computer Security Association
Added 2017-01-10

Assessing Controlled Access Protection

National Computer Security Association
Added 2017-01-10