Convicted by Memory: Recovering Spatial-Temporal Digital Evidence from Memory Images

Saltaformaggio, Brendan D.

Title:

Convicted by Memory: Recovering Spatial-Temporal Digital Evidence from Memory Images

dc.contributor.author	Saltaformaggio, Brendan D.
dc.contributor.corporatename	Georgia Institute of Technology. Institute for Information Security & Privacy	en_US
dc.contributor.corporatename	Georgia Institute of Technology. School of Computer Science	en_US
dc.contributor.corporatename	Georgia Institute of Technology. School of Electrical and Computer Engineering	en_US
dc.date.accessioned	2018-02-05T16:29:27Z
dc.date.available	2018-02-05T16:29:27Z
dc.date.issued	2018-01-19
dc.description	Presented on January 19, 2018 at 12:00 p.m. in the Klaus Advanced Computing Building, room 2447.	en_US
dc.description	Brendan Saltaformaggio leads the CyFi Lab as assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology with a courtesy appointment in the School of Computer Science. His research interests are computer systems security and cyber forensics, including memory forensics, binary analysis and instrumentation, vetting of untrusted software, and mobile/IoT security.	en_US
dc.description	Runtime: 48:08 minutes	en_US
dc.description.abstract	Memory forensics is becoming a crucial capability in modern cyber forensic investigations. In particular, memory forensics can reveal "up to the minute" evidence of a device's usage, often without requiring a suspect's password to unlock the device, and it is oblivious to any persistent storage encryption schemes. Prior to my work, researchers and investigators alike considered raw data-structure recovery the ultimate goal of memory forensics. This, however, was far from sufficient as investigators were still largely unable to understand the content of the recovered evidence; hence, unlocking the true potential of such evidence in memory images remained an open research challenge. In this talk, I will focus on my research efforts which break from traditional data-recovery-oriented forensics and instead leverage program analysis to automatically locate, reconstruct, and render spatial-temporal evidence from memory images. I will describe the evolution of this work, starting with the reuse of binary program components to overcome the burden of recovering and understanding highly probative data structures, e.g., photos, chat contents, and edited documents. Then, shifting away from the recovery of data structures, I will introduce spatial-temporal evidence recovery, culminating in the instrumentation of program executions to recreate full sequences of previous smartphone app screens, all from only a single snapshot of a device's memory. Finally, to highlight the role of memory forensics in my overall research agenda, I will briefly present my ongoing and future work in integrated cyber/cyber-physical attack defense and forensics.	en_US
dc.format.extent	48:08 minutes
dc.identifier.uri	http://hdl.handle.net/1853/59327
dc.language.iso	en_US	en_US
dc.publisher	Georgia Institute of Technology	en_US
dc.relation.ispartofseries	Cybersecurity Lecture Series
dc.subject	Android	en_US
dc.subject	Cyber forensics	en_US
dc.subject	Memory forensics	en_US
dc.title	Convicted by Memory: Recovering Spatial-Temporal Digital Evidence from Memory Images	en_US
dc.type	Moving Image
dc.type.genre	Lecture
dspace.entity.type	Publication
local.contributor.author	Saltaformaggio, Brendan D.
local.contributor.corporatename	School of Cybersecurity and Privacy
local.contributor.corporatename	College of Computing
local.relation.ispartofseries	Institute for Information Security & Privacy Cybersecurity Lecture Series
relation.isAuthorOfPublication	0962496d-5a25-4cc0-8f0d-da1c58a09a76
relation.isOrgUnitOfPublication	f6d1765b-8d68-42f4-97a7-fe5e2e2aefdf
relation.isOrgUnitOfPublication	c8892b3c-8db6-4b7b-a33a-1b67f7db2021
relation.isSeriesOfPublication	2b4a3c7a-f972-4a82-aeaa-818747ae18a7