Research
Members of the Digital Forensics Solutions team have done extensive research in the fields of computer security and digital forensics. Listed below are selected presentations and publications along with a brief description and URL at which they can be accessed.
Android Mind Reading: Memory Acquisition and Analysis with DMD and Volatility ShmooCon 2012
Slides from a presentation at Shmoocon 2012 in Washington, DC discussing our research on Android memory aquisition and analysis.
Acquisition and Analysis of Volatile Memory from Android Devices, Digital Investigation Journal, 2012
The Android operating system for mobile phones, which is still relatively new, is rapidly gaining market share, with dozens of smartphones and tablets either released or set to be released. In this paper, we present the first methodology and toolset for acquisition and deep analysis of volatile physical memory from Android devices. The paper discusses some of the challenges in performing Android memory acquisition, discusses our new kernel module for dumping memory, named dmd, and specifically addresses the difficulties in developing device-independent acquisition tools. Our acquisition tool supports dumping memory to either the SD on the phone or via the network. We also present analysis of kernel structures using newly developed Volatility functionality. The
results of this work illustrate the potential that deep memory analysis offers to digital forensics investigators.
Investigating Coordinated Data Exfiltration, GFIRST 2011
Slides from a presentation at GFIRST 2011 in Nashville, TN explaining how to do data exfiltration forensics.
Linux Memory Analysis with Volatility, Slides from Andrew Case's talk at the 2011 Open Memory Forensics Workshop on Volatility Support for Linux.
Memory Analysis of the Dalvik (Android) Virtual Machine, SOURCE Seattle 2011
Within a year of being released, Android has exploded in the mobile market and is expected to overtake it in 2011. Due to the widespread adoption of Android, it is vital that the forensics community has the ability to analyze devices using it. While applications exist that can analyze Android’s filesystem, no tool exists for application memory analysis. Memory forensics allows for complete recovery of allocated data structures and variables and partial recovery of deallocated objects. During this presentation, we will present the first public analysis of Android’s Dalvik virtual machine, which is used to execute all Android applications. This will include the design of the Dalvik VM and how arbitrary class instances and members can be located within an application’s memory, and how this leads to recovery of a wealth of forensically interesting information. We will also discuss the feasibility of recovering previously deleted objects related to these applications.
De-Anonymizing Live CDs through Physical Memory Analysis , Blackhat DC 2011
Dynamic Recreation of Kernel Data Structures for Live Forensics, DFRWS 2010
This paper describes techniques developed to allow automatic adaptation of memory analysis tools to a wide range of kernel versions. Dynamic reconstruction of kernel data structures is obtained by analyzing the memory dump for the instructions that reference needed kernel structure members. The ability to dynamically recreate C structures used within the kernel allows for a large amount of information to be obtained and processed.
Treasure and Tragedy in kmem_cache Mining for Live Forensics Investigation, DFRWS 2010
This paper presents the first deep investigation of the kmem_cache facility in Linux from a forensics perspective. The kmem_cache is used by the Linux kernel to quickly allocate and deallocate kernel structures associated with processes, files, and the network stack. Our focus is on deallocated information that remains in the cache and the major contribution of this paper is to illustrate what forensically relevant information can be retrieved from
the kmem_cache and what information is definitively not retrievable. We show that the kmem_cache contains a wealth of digital evidence, much of which was either previously unavailable or difficult to obtain, requiring ad hoc methods for extraction.
MMR: A Platform for Large-Scale Forensic Computing, IFIP 2009
FACE: Automated Digital Evidence Discovery and Correlation, DFRWS 2008
Hash-based Classification of Data: Class-based Similarity Hashing, IFIP 2008
Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools, DFRWS 2007
Multi-Resolution Similarity Hashing, DFRWS 2007
In-place File Carving, IFIP 2007
Forensic Discovery Auditing of Digital Evidence Containers, Journal of Digital Investigation 2007
Android Mind Reading: Memory Acquisition and Analysis with DMD and Volatility ShmooCon 2012
Slides from a presentation at Shmoocon 2012 in Washington, DC discussing our research on Android memory aquisition and analysis.
Acquisition and Analysis of Volatile Memory from Android Devices, Digital Investigation Journal, 2012
The Android operating system for mobile phones, which is still relatively new, is rapidly gaining market share, with dozens of smartphones and tablets either released or set to be released. In this paper, we present the first methodology and toolset for acquisition and deep analysis of volatile physical memory from Android devices. The paper discusses some of the challenges in performing Android memory acquisition, discusses our new kernel module for dumping memory, named dmd, and specifically addresses the difficulties in developing device-independent acquisition tools. Our acquisition tool supports dumping memory to either the SD on the phone or via the network. We also present analysis of kernel structures using newly developed Volatility functionality. The
results of this work illustrate the potential that deep memory analysis offers to digital forensics investigators.
Investigating Coordinated Data Exfiltration, GFIRST 2011
Slides from a presentation at GFIRST 2011 in Nashville, TN explaining how to do data exfiltration forensics.
Linux Memory Analysis with Volatility, Slides from Andrew Case's talk at the 2011 Open Memory Forensics Workshop on Volatility Support for Linux.
Memory Analysis of the Dalvik (Android) Virtual Machine, SOURCE Seattle 2011
Within a year of being released, Android has exploded in the mobile market and is expected to overtake it in 2011. Due to the widespread adoption of Android, it is vital that the forensics community has the ability to analyze devices using it. While applications exist that can analyze Android’s filesystem, no tool exists for application memory analysis. Memory forensics allows for complete recovery of allocated data structures and variables and partial recovery of deallocated objects. During this presentation, we will present the first public analysis of Android’s Dalvik virtual machine, which is used to execute all Android applications. This will include the design of the Dalvik VM and how arbitrary class instances and members can be located within an application’s memory, and how this leads to recovery of a wealth of forensically interesting information. We will also discuss the feasibility of recovering previously deleted objects related to these applications.
Traditional digital forensics encompasses the examination of data from an offline or “dead” source such as a disk image. Since the filesystem is intact on these images, a number of forensics techniques are available for analysis such as file and metadata examination, timelining, deleted file recovery, indexing, and searching. Live CDs present a serious problem for this investigative model, however, since the OS and applications execute in a RAM-only environment and do not save data on non-volatile storage devices such as the local disk. In order to solve this problem, we present a number of techniques that support complete recovery of a live CD’s in-memory filesystem and partial recovery of its deleted contents. We also present memory analysis of the popular Tor application, since it is used by a number of live CDs in an attempt to keep network communications encrypted and anonymous.
The slides for this talk are available here
The slides for this talk are available here
Dynamic Recreation of Kernel Data Structures for Live Forensics, DFRWS 2010
This paper describes techniques developed to allow automatic adaptation of memory analysis tools to a wide range of kernel versions. Dynamic reconstruction of kernel data structures is obtained by analyzing the memory dump for the instructions that reference needed kernel structure members. The ability to dynamically recreate C structures used within the kernel allows for a large amount of information to be obtained and processed.
Treasure and Tragedy in kmem_cache Mining for Live Forensics Investigation, DFRWS 2010
This paper presents the first deep investigation of the kmem_cache facility in Linux from a forensics perspective. The kmem_cache is used by the Linux kernel to quickly allocate and deallocate kernel structures associated with processes, files, and the network stack. Our focus is on deallocated information that remains in the cache and the major contribution of this paper is to illustrate what forensically relevant information can be retrieved from
the kmem_cache and what information is definitively not retrievable. We show that the kmem_cache contains a wealth of digital evidence, much of which was either previously unavailable or difficult to obtain, requiring ad hoc methods for extraction.
MMR: A Platform for Large-Scale Forensic Computing, IFIP 2009
The timely processing of large-scale digital forensic targets demands the employment of large-scale distributed resources, as well as the flexibility to customize the processing performed on the target. We presentMMR – a new, open implementation of the MapReduce processing model, which significantly outperforms prior work on typical forensic tasks. It demonstrates linear scaling for CPU-intensive processing and even super-linear scaling for indexing-related workloads.
FACE: Automated Digital Evidence Discovery and Correlation, DFRWS 2008
In this work, we present FACE, a framework for automatic evidence discovery and correlation from a variety of forensic targets. Our prototype implementation demonstrates the integrated analysis and correlation of a disk image, memory image, network capture, and configuration log files. The results of this analysis are presented as a coherent view of the state of a target system, allowing investigators to quickly understand it. We also present an advanced open source memory analysis tool, ramparser, for the automated analysis of Linux systems.
Hash-based Classification of Data: Class-based Similarity Hashing, IFIP 2008
This paper introduces “class-aware similarity hashes” or “classprints,” which are an outgrowth of recent work on similarity hashing. The approach builds on the notion of context-based hashing to create a framework for identifying data types based on content and for building characteristic similarity hashes for individual data items that can be used for correlation. The principal benefits are that data classification can be fully automated and that a priori knowledge of the underlying data is not necessary beyond the availability of a suitable training set.
Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools, DFRWS 2007
This paper presents the results of a number of experiments that evaluate the effectiveness of offloading processing common to digital forensics tools to a GPU, using “massive” numbers of threads to parallelize the computation. These results are compared to speedups obtainable by simple threading schemes appropriate for multicore CPUS. Our results indicate that in many cases, the use of GPUs can substantially increase the performance of digital forensics tools.
Multi-Resolution Similarity Hashing, DFRWS 2007
In this paper, we discuss a new approach to one of the basic operations that is invariably applied to raw data – hashing. The essential idea is to produce an efficient and scalable hashing scheme that can be used to supplement the traditional cryptographic hashing during the initial pass over the raw evidence. The goal is to retain enough information to allow binary data to be queried for similarity at various levels of granularity without any further pre-processing/indexing. The specific solution we propose, called a multi-resolution similarity hash (or MRS hash), is a generalization of recent work in the area.
In-place File Carving, IFIP 2007
Current generation file carvers make copies of recovered files. Unfortunately, it is common to end up with a large volume of false positives during a file carving operation. These false positives are junk files that have invalid formats and can consume a large amount of disk space. In this paper, we present an in-place approach to file carving, which allows inspection of recovered files without actually copying file contents. This results in significant reduction in storage requirements (even in pathological cases), much shorter turnaround times, and opens up new opportunities to perform on-the-spot screening of evidence.
Forensic Discovery Auditing of Digital Evidence Containers, Journal of Digital Investigation 2007