Research

Members of the Digital Forensics Solutions team have done extensive research in the fields of computer security and digital forensics. Listed below are selected presentations and publications along with a brief description and URL at which they can be accessed.

Acquisition and Analysis of Volatile Memory from Android Devices, Digital Investigation Journal, 2012
The Android operating system for mobile phones, which is still relatively new, is rapidly gaining market share, with dozens of smartphones and tablets either released or set to be released. In this paper, we present the first methodology and toolset for acquisition and deep analysis of volatile physical memory from Android devices. The paper discusses some of the challenges in performing Android memory acquisition, discusses our new kernel module for dumping memory, named dmd, and specifically addresses the difficulties in developing device-independent acquisition tools. Our acquisition tool supports dumping memory to either the SD on the phone or via the network. We also present analysis of kernel structures using newly developed Volatility functionality. The
results of this work illustrate the potential that deep memory analysis offers to digital forensics investigators.

Investigating Coordinated Data Exfiltration, GFIRST 2011
DFS presented a case study on exfiltration forensics at GFIRST 2011 in Nashville, TN. Not all assailants are outside your organization. Our presentation covers the step by step process for investigating a coordinated data exfiltration. DFS provides a look at email, browsers, network shares, smart phones, and the ex employee’s computer using a mix of custom scripts, digital gumshoe work and Regripper to uncover the evidence needed to confirm that valuable data was purposely exfiltrated.

Linux Memory Analysis with Volatility, DFS presented a three hour workshop at BlackHat 2011 focused on using Volatility to perform Linux memory analysis investigations as well as Linux kernel internals. The workshop covered memory forensics and recovery runtime. The Volatility Framework is an open source collection of tools for digital investigation that is best for extracting data from volatile memory samples (RAM).

Memory Analysis of the Dalvik (Android) Virtual Machine, SOURCE Seattle 2011
Within a year of being released, Android has exploded in the mobile market and is expected to overtake it in 2011. Due to the widespread adoption of Android, it is vital that the forensics community has the ability to analyze devices using it. While applications exist that can analyze Android’s filesystem, no tool exists for application memory analysis. Memory forensics allows for complete recovery of allocated data structures and variables and partial recovery of deallocated objects. During this presentation, we will present the first public analysis of Android’s Dalvik virtual machine, which is used to execute all Android applications. This will include the design of the Dalvik VM and how arbitrary class instances and members can be located within an application’s memory, and how this leads to recovery of a wealth of forensically interesting information. We will also discuss the feasibility of recovering previously deleted objects related to these applications.



De-Anonymizing Live CDs through Physical Memory Analysis, Black Dat D.C. 2011
Traditional digital forensics encompasses the examination of data from an offline or “dead” source such as a disk image. Since the filesystem is intact on these images, a number of forensics techniques are available for analysis such as file and metadata examination, timelining, deleted file recovery, indexing, and searching. Live CDs present a serious problem for this investigative model, however, since the OS and applications execute in a RAM-only environment and do not save data on non-volatile storage devices such as the local disk. In order to solve this problem, we present a number of techniques that support complete recovery of a live CD’s in-memory filesystem and partial recovery of its deleted contents. We also present memory analysis of the popular Tor application, since it is used by a number of live CDs in an attempt to keep network communications encrypted and anonymous.

The slides for this talk are available here



Dynamic Recreation of Kernel Data Structures for Live Forensics, DFRWS 2010
This paper describes techniques developed to allow automatic adaptation of memory analysis tools to a wide range of kernel versions. Dynamic reconstruction of kernel data structures is obtained by analyzing the memory dump for the instructions that reference needed kernel structure members. The ability to dynamically recreate C structures used within the kernel allows for a large amount of information to be obtained and processed.



Treasure and Tragedy in kmem_cache Mining for Live Forensics Investigation, DFRWS 2010
This paper presents the first deep investigation of the kmem_cache facility in Linux from a forensics perspective. The kmem_cache is used by the Linux kernel to quickly allocate and deallocate kernel structures associated with processes, files, and the network stack. Our focus is on deallocated information that remains in the cache and the major contribution of this paper is to illustrate what forensically relevant information can be retrieved from
the kmem_cache and what information is definitively not retrievable. We show that the kmem_cache contains a wealth of digital evidence, much of which was either previously unavailable or difficult to obtain, requiring ad hoc methods for extraction.