Research
Members of the Digital Forensics Solutions team have done extensive research in the fields of computer security and digital forensics. Listed below are selected presentations and publications along with a brief description and URL at which they can be accessed.
Android Mind Reading: Memory Acquisition and Analysis with DMD and Volatility ShmooCon 2012
Slides from a presentation at Shmoocon 2012 in Washington, DC discussing our research on Android memory aquisition and analysis.
Acquisition and Analysis of Volatile Memory from Android Devices, Digital Investigation Journal, 2012
The Android operating system for mobile phones, which is still relatively new, is rapidly gaining market share, with dozens of smartphones and tablets either released or set to be released. In this paper, we present the first methodology and toolset for acquisition and deep analysis of volatile physical memory from Android devices. The paper discusses some of the challenges in performing Android memory acquisition, discusses our new kernel module for dumping memory, named dmd, and specifically addresses the difficulties in developing device-independent acquisition tools. Our acquisition tool supports dumping memory to either the SD on the phone or via the network. We also present analysis of kernel structures using newly developed Volatility functionality. The
results of this work illustrate the potential that deep memory analysis offers to digital forensics investigators.
Investigating Coordinated Data Exfiltration, GFIRST 2011
Slides from a presentation at GFIRST 2011 in Nashville, TN explaining how to do data exfiltration forensics.
Linux Memory Analysis with Volatility, Slides from Andrew Case's talk at the 2011 Open Memory Forensics Workshop on Volatility Support for Linux.
Memory Analysis of the Dalvik (Android) Virtual Machine, SOURCE Seattle 2011
Within a year of being released, Android has exploded in the mobile market and is expected to overtake it in 2011. Due to the widespread adoption of Android, it is vital that the forensics community has the ability to analyze devices using it. While applications exist that can analyze Android’s filesystem, no tool exists for application memory analysis. Memory forensics allows for complete recovery of allocated data structures and variables and partial recovery of deallocated objects. During this presentation, we will present the first public analysis of Android’s Dalvik virtual machine, which is used to execute all Android applications. This will include the design of the Dalvik VM and how arbitrary class instances and members can be located within an application’s memory, and how this leads to recovery of a wealth of forensically interesting information. We will also discuss the feasibility of recovering previously deleted objects related to these applications.
De-Anonymizing Live CDs through Physical Memory Analysis , Blackhat DC 2011
Dynamic Recreation of Kernel Data Structures for Live Forensics, DFRWS 2010
This paper describes techniques developed to allow automatic adaptation of memory analysis tools to a wide range of kernel versions. Dynamic reconstruction of kernel data structures is obtained by analyzing the memory dump for the instructions that reference needed kernel structure members. The ability to dynamically recreate C structures used within the kernel allows for a large amount of information to be obtained and processed.
Treasure and Tragedy in kmem_cache Mining for Live Forensics Investigation, DFRWS 2010
This paper presents the first deep investigation of the kmem_cache facility in Linux from a forensics perspective. The kmem_cache is used by the Linux kernel to quickly allocate and deallocate kernel structures associated with processes, files, and the network stack. Our focus is on deallocated information that remains in the cache and the major contribution of this paper is to illustrate what forensically relevant information can be retrieved from
the kmem_cache and what information is definitively not retrievable. We show that the kmem_cache contains a wealth of digital evidence, much of which was either previously unavailable or difficult to obtain, requiring ad hoc methods for extraction.
Android Mind Reading: Memory Acquisition and Analysis with DMD and Volatility ShmooCon 2012
Slides from a presentation at Shmoocon 2012 in Washington, DC discussing our research on Android memory aquisition and analysis.
Acquisition and Analysis of Volatile Memory from Android Devices, Digital Investigation Journal, 2012
The Android operating system for mobile phones, which is still relatively new, is rapidly gaining market share, with dozens of smartphones and tablets either released or set to be released. In this paper, we present the first methodology and toolset for acquisition and deep analysis of volatile physical memory from Android devices. The paper discusses some of the challenges in performing Android memory acquisition, discusses our new kernel module for dumping memory, named dmd, and specifically addresses the difficulties in developing device-independent acquisition tools. Our acquisition tool supports dumping memory to either the SD on the phone or via the network. We also present analysis of kernel structures using newly developed Volatility functionality. The
results of this work illustrate the potential that deep memory analysis offers to digital forensics investigators.
Investigating Coordinated Data Exfiltration, GFIRST 2011
Slides from a presentation at GFIRST 2011 in Nashville, TN explaining how to do data exfiltration forensics.
Linux Memory Analysis with Volatility, Slides from Andrew Case's talk at the 2011 Open Memory Forensics Workshop on Volatility Support for Linux.
Memory Analysis of the Dalvik (Android) Virtual Machine, SOURCE Seattle 2011
Within a year of being released, Android has exploded in the mobile market and is expected to overtake it in 2011. Due to the widespread adoption of Android, it is vital that the forensics community has the ability to analyze devices using it. While applications exist that can analyze Android’s filesystem, no tool exists for application memory analysis. Memory forensics allows for complete recovery of allocated data structures and variables and partial recovery of deallocated objects. During this presentation, we will present the first public analysis of Android’s Dalvik virtual machine, which is used to execute all Android applications. This will include the design of the Dalvik VM and how arbitrary class instances and members can be located within an application’s memory, and how this leads to recovery of a wealth of forensically interesting information. We will also discuss the feasibility of recovering previously deleted objects related to these applications.
Traditional digital forensics encompasses the examination of data from an offline or “dead” source such as a disk image. Since the filesystem is intact on these images, a number of forensics techniques are available for analysis such as file and metadata examination, timelining, deleted file recovery, indexing, and searching. Live CDs present a serious problem for this investigative model, however, since the OS and applications execute in a RAM-only environment and do not save data on non-volatile storage devices such as the local disk. In order to solve this problem, we present a number of techniques that support complete recovery of a live CD’s in-memory filesystem and partial recovery of its deleted contents. We also present memory analysis of the popular Tor application, since it is used by a number of live CDs in an attempt to keep network communications encrypted and anonymous.
The slides for this talk are available here
The slides for this talk are available here
Dynamic Recreation of Kernel Data Structures for Live Forensics, DFRWS 2010
This paper describes techniques developed to allow automatic adaptation of memory analysis tools to a wide range of kernel versions. Dynamic reconstruction of kernel data structures is obtained by analyzing the memory dump for the instructions that reference needed kernel structure members. The ability to dynamically recreate C structures used within the kernel allows for a large amount of information to be obtained and processed.
Treasure and Tragedy in kmem_cache Mining for Live Forensics Investigation, DFRWS 2010
This paper presents the first deep investigation of the kmem_cache facility in Linux from a forensics perspective. The kmem_cache is used by the Linux kernel to quickly allocate and deallocate kernel structures associated with processes, files, and the network stack. Our focus is on deallocated information that remains in the cache and the major contribution of this paper is to illustrate what forensically relevant information can be retrieved from
the kmem_cache and what information is definitively not retrievable. We show that the kmem_cache contains a wealth of digital evidence, much of which was either previously unavailable or difficult to obtain, requiring ad hoc methods for extraction.