Characterizing Data Structures for Volatile Forensics

2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering Pub Date : 2011-05-05 DOI:10.1109/SADFE.2011.5

Ellick Chan, S. Venkataraman, Nadia Tkach, Kevin Larson, Alejandro Gutierrez, R. Campbell

{"title":"Characterizing Data Structures for Volatile Forensics","authors":"Ellick Chan, S. Venkataraman, Nadia Tkach, Kevin Larson, Alejandro Gutierrez, R. Campbell","doi":"10.1109/SADFE.2011.5","DOIUrl":null,"url":null,"abstract":"Volatile memory forensic tools can extract valuable evidence from latent data structures present in memory dumps. However, current techniques are generally limited by a lack of understanding of the underlying data without the use of expert knowledge. In this paper, we characterize the nature of such evidence by using deep analysis techniques to better understand the life-cycle and recoverability of latent program data in memory. We have developed Cafegrind, a tool that can systematically build an object map and track the use of data structures as a program is running. Statistics collected by our tool can show which data structures are the most numerous, which structures are the most frequently accessed and provide summary statistics to guide forensic analysts in the evidence gathering process. As programs grow increasingly complex and numerous, the ability to pinpoint specific evidence in memory dumps will be increasingly helpful. Cafegrind has been tested on a number of real-world applications and we have shown that it can successfully map up to 96% of heap accesses.","PeriodicalId":264200,"journal":{"name":"2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-05-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SADFE.2011.5","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 12

Abstract

Volatile memory forensic tools can extract valuable evidence from latent data structures present in memory dumps. However, current techniques are generally limited by a lack of understanding of the underlying data without the use of expert knowledge. In this paper, we characterize the nature of such evidence by using deep analysis techniques to better understand the life-cycle and recoverability of latent program data in memory. We have developed Cafegrind, a tool that can systematically build an object map and track the use of data structures as a program is running. Statistics collected by our tool can show which data structures are the most numerous, which structures are the most frequently accessed and provide summary statistics to guide forensic analysts in the evidence gathering process. As programs grow increasingly complex and numerous, the ability to pinpoint specific evidence in memory dumps will be increasingly helpful. Cafegrind has been tested on a number of real-world applications and we have shown that it can successfully map up to 96% of heap accesses.

查看原文本刊更多论文

易失性取证的数据结构特征

易失性内存取证工具可以从内存转储中存在的潜在数据结构中提取有价值的证据。然而，由于缺乏对基础数据的理解而不使用专家知识，目前的技术通常受到限制。在本文中，我们通过使用深度分析技术来表征这些证据的性质，以更好地理解内存中潜在程序数据的生命周期和可恢复性。我们开发了Cafegrind，这个工具可以系统地构建对象映射，并在程序运行时跟踪数据结构的使用。我们的工具收集的统计数据可以显示哪些数据结构是最多的，哪些结构是最频繁访问的，并提供汇总统计数据，以指导法医分析人员在证据收集过程中。随着程序变得越来越复杂和众多，在内存转储中精确定位特定证据的能力将越来越有帮助。Cafegrind已经在许多实际应用程序上进行了测试，我们已经证明它可以成功映射高达96%的堆访问。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering

自引率

0.00%

发文量