Discovering and Rendering In-memory Forensics Information with Confidence


Traditional computer forensics has mainly focused on uncovering evidence from non-volatile storage (e.g., disks). However, investigators have increasingly realized the value of evidence in a computer's memory image, which contains "live" evidence left by program execution, such as recent chat contents, logins, and photos viewed. In this talk, I will report results from our memory forensics research enabled by probabilistic inference and binary program analysis. First, I will present a method that discovers instances of a program data structure in a memory image, based on probabilistic inference on a set of Boolean constraints generated from data structure definitions and memory contents. Second, I will present a system that enables intuitive rendering of the discovered data structure instances in human-understandable format, by reusing relevant code in the application binary as rendering functions. Evaluation results with real-world programs and in-memory data will be presented to demonstrate the effectiveness of our techniques.


Prof. Dongyan XU
Department of Computer Science, Purdue University

Date & Time

4 May 2015 (Monday) 10:30 - 11:30


E11-4045 (University of Macau)

Organized by

Department of Computer and Information Science


Dongyan Xu is a professor of computer science and a University Faculty Scholar at Purdue University (West Lafayette, IN). He is also affiliated with the Center for Education and Research in Information Assurance and Security (CERIAS). He has been on Purdue faculty since 2001, when he received his Ph.D. in computer science from the University of Illinois at Urbana-Champaign. His research efforts span computer systems security and forensics, cloud computing, and virtualization. He is the co-author of a number of award-winning papers at major conferences including RAID'08, SOCC'11, ASE'13, and USENIX Security'14.