11-20-2017 Writer(s): Kristyn Childres
Purdue alumnus Brendan Saltaformaggio (Ph.D. ’16), now an assistant professor at the Georgia Institute of Technology, won the 2017 ACM SIGSAC Doctoral Dissertation Award, which was presented in early November at ACM CCS 2017. The award recognizes excellent research by recent Ph.D. graduates in the field of computer and information security.
In his Ph.D. thesis, “Convicted by memory: Automatically recovering spatial-temporal evidence from memory images,” Saltaformaggio presents a memory forensics framework that leverages program analysis to recover evidence from memory images by understanding the programs that generated it.
Since 2008, the U.S. federal government has filed an unprecedented 70 orders under the All Writs Act to compel Apple or Google to provide assistance in on-going criminal investigations. This practice reveals an unnerving truth about the current state of cyber forensics: authorities lack the techniques necessary to investigate cyber-crimes without the explicit introduction of backdoors by which to obtain evidence.
After years of exclusively investigating persistent storage (e.g., hard disk drives), cyber forensics investigators have only recently begun turning their attention to the wealth of forensic evidence stored in a device’s volatile memory (RAM). Memory forensics can reveal “up to the minute” evidence of a device’s usage, often without requiring a suspect’s password to unlock the device. But, prior to Saltaformaggio’s work, efficiently locating and accurately analyzing the evidence locked in memory images remained an open research challenge. Saltaformaggio’s dissertation directly addresses this problem, presenting an evidence recovery framework that consists of four techniques (each one building on the discoveries of the last).
The first technique, DSCRETE, recovers and presents in-memory data structure contents. The second, VCR, recovers in-memory photographic evidence produced by an Android device’s cameras. The third, GUITAR, automatically reassembles and redraws an app’s graphical user interface (GUI) from the GUI data elements found in the phone’s memory image. The final technique, RetroScope, recovers sequences of previous GUI screens, in their original temporal order, from a memory image. It selectively reanimates an app’s screen redrawing functionality without requiring any app-specific knowledge.
“I’m deeply honored to receive this award. This is a wonderful culmination of all the challenges and perseverance that went into my dissertation, which I am proud to say truly pushed the state-of-the-art in this field,” said Saltaformaggio.
“These techniques introduce encryption-oblivious forensics capabilities that far exceed traditional data-structure recovery. They will be crucial in investigating major cyber crimes in the future,” Saltaformaggio’s co-advisors, Professors Dongyan Xu and Xiangyu Zhang in the Department of Computer Science and CERIAS, agreed.
Saltaformaggio earned his master’s and Ph.D. in computer science from Purdue and then spent six months as a post-doc researcher with Professor Xu. His work has been awarded the Best Student Paper Award at USENIX Security 2014 and the Best Paper Award at ACM CCS 2015. His Ph.D. research was partially funded via the 2016 Symantec Research Labs Graduate Fellowship, and he was named the inaugural recipient of the Emil Stefanov Memorial Fellowship. In July 2017, he joined the School of Electrical and Computer Engineering at the Georgia Institute of Technology as an assistant professor.