Brendan Saltaformaggio - Purdue University

Sep 03, 2014

Size: 117.0MB

Download: Video Icon MP4 Video  
Watch in your Browser   Watch on Youtube Watch on YouTube

"DSCRETE: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse"


State-of-the-art memory forensics involves signature-based scanning of memory images to uncover data structure instances of interest to investigators. A largely unaddressed challenge is that investigators may not be able to interpret the content of data structure fields, even with a deep understanding of the data structure’s syntax and semantics. For example, an investigator may know that a buffer field is holding a photo image, but still cannot display (and hence understand) the image. We call this the data structure content reverse engineering challenge. In this talk, we present DSCRETE, a system that enables automatic interpretation and rendering of in-memory data structure contents. DSCRETE is based on the observation that the application in which a data structure is defined usually contains interpretation and rendering logic to generate human-understandable output for that data structure. Hence DSCRETE aims to identify and reuse such logic in the program’s binary and create a “scanner+renderer” tool for scanning and rendering instances of the data structure in a memory image. We will show that DSCRETE is able to recover a variety of application data — e.g., images, figures, screenshots, user accounts, and formatted files and messages — with high accuracy. The raw contents of such data would otherwise be unfathomable to human investigators.

About the Speaker

Brendan Saltaformaggio is a Ph.D. student in the Department of Computer Science at Purdue University. His research focuses on the application of binary analysis techniques to digital forensics problems. Most recently, his work on data structure content reverse engineering won the Best Student Paper Award at Usenix Security 2014. Brendan earned a BS with Honors in Computer Science from the University of New Orleans. Prior to joining Purdue, Brendan was a digital forensics researcher at MIT Lincoln Labs (2012) and the Greater New Orleans Center for Information Assurance (2011).

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52 (Suite 050B), West Lafayette Campus. More information...