Characterizing data structures for volatile forensics

Ellick Chan, Shivaram Venkataraman, Nadia Tkach, Kevin Larson, Alejandro Gutierrez, Roy H. Campbell

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Volatile memory forensic tools can extract valuable evidence from latent data structures present in memory dumps. However, current techniques are generally limited by a lack of understanding of the underlying data without the use of expert knowledge. In this paper, we characterize the nature of such evidence by using deep analysis techniques to better understand the life-cycle and recoverability of latent program data in memory. We have developed Cafegrind, a tool that can systematically build an object map and track the use of data structures as a program is running. Statistics collected by our tool can show which data structures are the most numerous, which structures are the most frequently accessed and provide summary statistics to guide forensic analysts in the evidence gathering process. As programs grow increasingly complex and numerous, the ability to pinpoint specific evidence in memory dumps will be increasingly helpful. Cafegrind has been tested on a number of real-world applications and we have shown that it can successfully map up to 96% of heap accesses.

Original languageEnglish (US)
Title of host publication2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011
DOIs
StatePublished - Dec 1 2011
Event2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011 - Berkeley/Oakland, CA, United States
Duration: May 26 2011May 26 2011

Publication series

Name2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011

Other

Other2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011
CountryUnited States
CityBerkeley/Oakland, CA
Period5/26/115/26/11

Fingerprint

Data structures
Statistics
Expert knowledge
Life cycle
Analysts

ASJC Scopus subject areas

  • Information Systems and Management

Cite this

Chan, E., Venkataraman, S., Tkach, N., Larson, K., Gutierrez, A., & Campbell, R. H. (2011). Characterizing data structures for volatile forensics. In 2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011 [6159126] (2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011). https://doi.org/10.1109/SADFE.2011.5

Characterizing data structures for volatile forensics. / Chan, Ellick; Venkataraman, Shivaram; Tkach, Nadia; Larson, Kevin; Gutierrez, Alejandro; Campbell, Roy H.

2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011. 2011. 6159126 (2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Chan, E, Venkataraman, S, Tkach, N, Larson, K, Gutierrez, A & Campbell, RH 2011, Characterizing data structures for volatile forensics. in 2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011., 6159126, 2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011, 2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011, Berkeley/Oakland, CA, United States, 5/26/11. https://doi.org/10.1109/SADFE.2011.5
Chan E, Venkataraman S, Tkach N, Larson K, Gutierrez A, Campbell RH. Characterizing data structures for volatile forensics. In 2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011. 2011. 6159126. (2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011). https://doi.org/10.1109/SADFE.2011.5
Chan, Ellick ; Venkataraman, Shivaram ; Tkach, Nadia ; Larson, Kevin ; Gutierrez, Alejandro ; Campbell, Roy H. / Characterizing data structures for volatile forensics. 2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011. 2011. (2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011).
@inproceedings{179a143b1d3941dfa2c65aaf9e65ee4a,
title = "Characterizing data structures for volatile forensics",
abstract = "Volatile memory forensic tools can extract valuable evidence from latent data structures present in memory dumps. However, current techniques are generally limited by a lack of understanding of the underlying data without the use of expert knowledge. In this paper, we characterize the nature of such evidence by using deep analysis techniques to better understand the life-cycle and recoverability of latent program data in memory. We have developed Cafegrind, a tool that can systematically build an object map and track the use of data structures as a program is running. Statistics collected by our tool can show which data structures are the most numerous, which structures are the most frequently accessed and provide summary statistics to guide forensic analysts in the evidence gathering process. As programs grow increasingly complex and numerous, the ability to pinpoint specific evidence in memory dumps will be increasingly helpful. Cafegrind has been tested on a number of real-world applications and we have shown that it can successfully map up to 96{\%} of heap accesses.",
author = "Ellick Chan and Shivaram Venkataraman and Nadia Tkach and Kevin Larson and Alejandro Gutierrez and Campbell, {Roy H.}",
year = "2011",
month = "12",
day = "1",
doi = "10.1109/SADFE.2011.5",
language = "English (US)",
isbn = "9781467312424",
series = "2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011",
booktitle = "2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011",

}

TY - GEN

T1 - Characterizing data structures for volatile forensics

AU - Chan, Ellick

AU - Venkataraman, Shivaram

AU - Tkach, Nadia

AU - Larson, Kevin

AU - Gutierrez, Alejandro

AU - Campbell, Roy H.

PY - 2011/12/1

Y1 - 2011/12/1

N2 - Volatile memory forensic tools can extract valuable evidence from latent data structures present in memory dumps. However, current techniques are generally limited by a lack of understanding of the underlying data without the use of expert knowledge. In this paper, we characterize the nature of such evidence by using deep analysis techniques to better understand the life-cycle and recoverability of latent program data in memory. We have developed Cafegrind, a tool that can systematically build an object map and track the use of data structures as a program is running. Statistics collected by our tool can show which data structures are the most numerous, which structures are the most frequently accessed and provide summary statistics to guide forensic analysts in the evidence gathering process. As programs grow increasingly complex and numerous, the ability to pinpoint specific evidence in memory dumps will be increasingly helpful. Cafegrind has been tested on a number of real-world applications and we have shown that it can successfully map up to 96% of heap accesses.

AB - Volatile memory forensic tools can extract valuable evidence from latent data structures present in memory dumps. However, current techniques are generally limited by a lack of understanding of the underlying data without the use of expert knowledge. In this paper, we characterize the nature of such evidence by using deep analysis techniques to better understand the life-cycle and recoverability of latent program data in memory. We have developed Cafegrind, a tool that can systematically build an object map and track the use of data structures as a program is running. Statistics collected by our tool can show which data structures are the most numerous, which structures are the most frequently accessed and provide summary statistics to guide forensic analysts in the evidence gathering process. As programs grow increasingly complex and numerous, the ability to pinpoint specific evidence in memory dumps will be increasingly helpful. Cafegrind has been tested on a number of real-world applications and we have shown that it can successfully map up to 96% of heap accesses.

UR - http://www.scopus.com/inward/record.url?scp=84858736046&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84858736046&partnerID=8YFLogxK

U2 - 10.1109/SADFE.2011.5

DO - 10.1109/SADFE.2011.5

M3 - Conference contribution

AN - SCOPUS:84858736046

SN - 9781467312424

T3 - 2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011

BT - 2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011

ER -