DSCRETE: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse
Brendan Saltaformaggio - Purdue University
Sep 03, 2014Size: 117.0MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractState-of-the-art memory forensics involves signature-based scanning of memory images to uncover data structure instances of interest to investigators. A largely unaddressed challenge is that investigators may not be able to interpret the content of data structure fields, even with a deep understanding of the data structure’s syntax and semantics. For example, an investigator may know that a buffer field is holding a photo image, but still cannot display (and hence understand) the image. We call this the data structure content reverse engineering challenge. In this talk, we present DSCRETE, a system that enables automatic interpretation and rendering of in-memory data structure contents. DSCRETE is based on the observation that the application in which a data structure is defined usually contains interpretation and rendering logic to generate human-understandable output for that data structure. Hence DSCRETE aims to identify and reuse such logic in the program’s binary and create a “scanner+renderer” tool for scanning and rendering instances of the data structure in a memory image. We will show that DSCRETE is able to recover a variety of application data — e.g., images, figures, screenshots, user accounts, and formatted files and messages — with high accuracy. The raw contents of such data would otherwise be unfathomable to human investigators.
About the SpeakerBrendan Saltaformaggio is a Ph.D. student in the Department of Computer Science at Purdue University. His research focuses on the application of binary analysis techniques to digital forensics problems. Most recently, his work on data structure content reverse engineering won the Best Student Paper Award at Usenix Security 2014. Brendan earned a BS with Honors in Computer Science from the University of New Orleans. Prior to joining Purdue, Brendan was a digital forensics researcher at MIT Lincoln Labs (2012) and the Greater New Orleans Center for Information Assurance (2011).
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.