TY - GEN
T1 - Characterizing data structures for volatile forensics
AU - Chan, Ellick
AU - Venkataraman, Shivaram
AU - Tkach, Nadia
AU - Larson, Kevin
AU - Gutierrez, Alejandro
AU - Campbell, Roy H.
PY - 2011
Y1 - 2011
N2 - Volatile memory forensic tools can extract valuable evidence from latent data structures present in memory dumps. However, current techniques are generally limited by a lack of understanding of the underlying data without the use of expert knowledge. In this paper, we characterize the nature of such evidence by using deep analysis techniques to better understand the life-cycle and recoverability of latent program data in memory. We have developed Cafegrind, a tool that can systematically build an object map and track the use of data structures as a program is running. Statistics collected by our tool can show which data structures are the most numerous, which structures are the most frequently accessed and provide summary statistics to guide forensic analysts in the evidence gathering process. As programs grow increasingly complex and numerous, the ability to pinpoint specific evidence in memory dumps will be increasingly helpful. Cafegrind has been tested on a number of real-world applications and we have shown that it can successfully map up to 96% of heap accesses.
AB - Volatile memory forensic tools can extract valuable evidence from latent data structures present in memory dumps. However, current techniques are generally limited by a lack of understanding of the underlying data without the use of expert knowledge. In this paper, we characterize the nature of such evidence by using deep analysis techniques to better understand the life-cycle and recoverability of latent program data in memory. We have developed Cafegrind, a tool that can systematically build an object map and track the use of data structures as a program is running. Statistics collected by our tool can show which data structures are the most numerous, which structures are the most frequently accessed and provide summary statistics to guide forensic analysts in the evidence gathering process. As programs grow increasingly complex and numerous, the ability to pinpoint specific evidence in memory dumps will be increasingly helpful. Cafegrind has been tested on a number of real-world applications and we have shown that it can successfully map up to 96% of heap accesses.
UR - http://www.scopus.com/inward/record.url?scp=84858736046&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84858736046&partnerID=8YFLogxK
U2 - 10.1109/SADFE.2011.5
DO - 10.1109/SADFE.2011.5
M3 - Conference contribution
AN - SCOPUS:84858736046
SN - 9781467312424
T3 - 2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011
BT - 2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011
T2 - 2011 6th IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2011
Y2 - 26 May 2011 through 26 May 2011
ER -