GCASR 2016‎ > ‎Presentations‎ > ‎

Discovering and Rendering In-memory Forensics Information with Confidence

Discovering and Rendering In-memory Forensics Information with Confidence


Traditional computer forensics has mainly focused on uncovering evidence 
from non-volatile storage (e.g., disks). However, investigators have 
increasingly realized the value of evidence in a computer's memory image, 
which contains "live" evidence left by program execution, such as recent 
chat contents, logins, and photos viewed. In this talk, I will report 
results from our memory forensics research enabled by probabilistic 
inference methods. First, I will present a method that discovers instances 
of a program's data structure in a memory image, based on probabilistic 
inference on a set of Boolean constraints generated from data structure 
definitions and memory contents. Second, I will present a system that 
enables recognition and rendering of photographic evidence (e.g., 
pictures, previews, and videos) from Android phone memory images, despite 
vendor-specific data structure customizations. Finally, to put memory 
forensics in a bigger picture, I will briefly present our ongoing 
development of an integrated, binary-centric framework for advanced 
persistent threat (APT) investigation, which covers the temporal, spatial, 
and behavioral aspects of APT forensics. This is a joint work with Xiangyu 

Dongyan Xu is a professor of computer science and a University Faculty 
Scholar at Purdue University. He is also affiliated with the Center for 
Education and Research in Information Assurance and Security (CERIAS). He 
has been on Purdue faculty since 2001, when he received his Ph.D. in 
computer science from the University of Illinois at Urbana-Champaign. His 
research efforts span computer systems security and forensics, cloud 
computing, and virtualization, with projects sponsored by both government 
agencies and industry. He is the co-author of six award-winning papers at 
major conferences in security and cloud computing.