Title: Discovering and Rendering In-memory Forensics Information with Confidence Abstract: Traditional computer forensics has mainly focused on uncovering evidence from non-volatile storage (e.g., disks). However, investigators have increasingly realized the value of evidence in a computer's memory image, which contains "live" evidence left by program execution, such as recent chat contents, logins, and photos viewed. In this talk, I will report results from our memory forensics research enabled by probabilistic inference methods. First, I will present a method that discovers instances of a program's data structure in a memory image, based on probabilistic inference on a set of Boolean constraints generated from data structure definitions and memory contents. Second, I will present a system that enables recognition and rendering of photographic evidence (e.g., pictures, previews, and videos) from Android phone memory images, despite vendor-specific data structure customizations. Finally, to put memory forensics in a bigger picture, I will briefly present our ongoing development of an integrated, binary-centric framework for advanced persistent threat (APT) investigation, which covers the temporal, spatial, and behavioral aspects of APT forensics. This is a joint work with Xiangyu Zhang. Bio: Dongyan Xu is a professor of computer science and a University Faculty Scholar at Purdue University. He is also affiliated with the Center for Education and Research in Information Assurance and Security (CERIAS). He has been on Purdue faculty since 2001, when he received his Ph.D. in computer science from the University of Illinois at Urbana-Champaign. His research efforts span computer systems security and forensics, cloud computing, and virtualization, with projects sponsored by both government agencies and industry. He is the co-author of six award-winning papers at major conferences in security and cloud computing. |
GCASR 2016 > Presentations >