Memory forensics is becoming a crucial capability in modern cyber forensic investigations. In particular, memory forensics can reveal "up to the minute" evidence of a device's usage, often without requiring a suspect's password to unlock the device, and it is oblivious to any persistent storage encryption schemes. Prior to my work, researchers and investigators alike considered raw data-structure recovery the ultimate goal of memory forensics. This, however, was far from sufficient as investigators were still largely unable to understand the content of the recovered evidence; hence, unlocking the true potential of such evidence in memory images remained an open research challenge.
In this talk, I will focus on my research efforts which break from traditional data-recovery-oriented forensics and instead leverage program analysis to automatically locate, reconstruct, and render spatial-temporal evidence from memory images. I will describe the evolution of this work, starting with the reuse of binary program components to overcome the burden of recovering and understanding highly probative data structures, e.g., photos, chat contents, and edited documents. Then, shifting away from the recovery of data structures, I will introduce spatial-temporal evidence recovery, culminating in the instrumentation of program executions to recreate full sequences of previous smartphone app screens, all from only a single snapshot of a device's memory. Finally, to highlight the role of memory forensics in my overall research agenda, I will briefly present my ongoing and future work in integrated cyber/cyber-physical attack defense and forensics.
Brendan Saltaformaggio is a Postdoctoral Researcher in the Department of Computer Science at Purdue University. His research interests lie in computer systems security and cyber forensics with focuses on memory image forensics, binary analysis and instrumentation, vetting of untrusted software, and cloud computing security. Dr. Saltaformaggio's work has been profiled by technical and mass media outlets and was awarded the Best Student Paper Award at Usenix Security 2014 and the Best Paper Award at ACM CCS 2015. He is also the recipient of the 2016 Symantec Research Labs Graduate Fellowship and the inaugural award of the Emil Stefanov Memorial Fellowship in Computer Science.