Brendan Saltaformaggio - Purdue University
Students: Fall 2021, unless noted otherwise, sessions will be virtual on Zoom.
DSCRETE: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse
Sep 03, 2014Download: MP4 Video Size: 117.0MB
Watch on YouTube
AbstractState-of-the-art memory forensics involves signature-based scanning of memory images to uncover data structure instances of interest to investigators. A largely unaddressed challenge is that investigators may not be able to interpret the content of data structure fields, even with a deep understanding of the data structure’s syntax and semantics. For example, an investigator may know that a buffer field is holding a photo image, but still cannot display (and hence understand) the image. We call this the data structure content reverse engineering challenge. In this talk, we present DSCRETE, a system that enables automatic interpretation and rendering of in-memory data structure contents. DSCRETE is based on the observation that the application in which a data structure is defined usually contains interpretation and rendering logic to generate human-understandable output for that data structure. Hence DSCRETE aims to identify and reuse such logic in the program’s binary and create a “scanner+renderer” tool for scanning and rendering instances of the data structure in a memory image. We will show that DSCRETE is able to recover a variety of application data — e.g., images, figures, screenshots, user accounts, and formatted files and messages — with high accuracy. The raw contents of such data would otherwise be unfathomable to human investigators.
About the Speaker
Brendan Saltaformaggio is a Ph.D. student in the Department of Computer Science at Purdue University. His research focuses on the application of binary analysis techniques to digital forensics problems. Most recently, his work on data structure content reverse engineering won the Best Student Paper Award at Usenix Security 2014. Brendan earned a BS with Honors in Computer Science from the University of New Orleans. Prior to joining Purdue, Brendan was a digital forensics researcher at MIT Lincoln Labs (2012) and the Greater New Orleans Center for Information Assurance (2011).