DSCRETE: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse

State-of-the-art memory forensics involves signature-based scanning of memory images to uncover data structure instances of interest to investigators. A largely unaddressed challenge is that investigators may not be able to interpret the content of data structure fields, even with a deep understanding of the data structure's syntax and semantics. This is very common for data structures with application-specific encoding, such as those representing images, figures, passwords, and formatted file contents. For example, an investigator may know that a buffer field is holding a photo image, but still cannot display (and hence understand) the image. We call this the data structure content reverse engineering challenge. In this paper, we present DSCRETE, a system that enables automatic interpretation and rendering of in-memory data structure contents. DSCRETE is based on the observation that the application in which a data structure is defined usually contains interpretation and rendering logic to generate human-understandable output for that data structure. Hence DSCRETE aims to identify and reuse such logic in the program's binary and create a "scanner+renderer" tool for scanning and rendering instances of the data structure in a memory image. Different from signature-based approaches, DSCRETE avoids reverse engineering data structure signatures. Our evaluation with a wide range of real-world application binaries shows that DSCRETE is able to recover a variety of application data -- e.g., images, figures, screenshots, user accounts, and formatted files and messages -- with high accuracy. The raw contents of such data would otherwise be unfathomable to human investigators.

[1]  David Brumley,et al.  TIE: Principled Reverse Engineering of Types in Binary Programs , 2011, NDSS.

[2]  William A. Arbaugh,et al.  FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory , 2006, Digit. Investig..

[3]  Paul Movall,et al.  Linux Physical Memory Analysis , 2005, USENIX Annual Technical Conference, FREENIX Track.

[4]  Abhinav Srivastava,et al.  Robust signatures for kernel data structures , 2009, CCS.

[5]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[6]  Xuxian Jiang,et al.  Mapping kernel objects to enable systematic integrity checking , 2009, CCS.

[7]  Xuxian Jiang,et al.  SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures , 2011, NDSS.

[8]  Brian Neil Levine,et al.  Forensic Triage for Mobile Phones with DEC0DE , 2011, USENIX Security Symposium.

[9]  Xiangyu Zhang,et al.  Automatic Reverse Engineering of Data Structures from Binary Execution , 2010, NDSS.

[10]  Joe Grand,et al.  A hardware-based memory acquisition procedure for digital investigations , 2004, Digit. Investig..

[11]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[12]  Golden G. Richard,et al.  Acquisition and analysis of volatile memory from android devices , 2012, Digit. Investig..

[13]  Christopher Krügel,et al.  Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries , 2010, 2010 IEEE Symposium on Security and Privacy.

[14]  Chao Wu,et al.  Discovering Semantic Data of Interest from Un-mappable Memory with Confidence , 2012, NDSS.

[15]  Xiangyu Zhang,et al.  Obfuscation resilient binary code reuse through trace-oriented programming , 2013, CCS.

[16]  Andreas Schuster,et al.  Searching for processes and threads in Microsoft Windows memory dumps , 2006, Digit. Investig..

[17]  Stephen McCamant,et al.  Binary Code Extraction and Interface Identification for Security Applications , 2009, NDSS.

[18]  Zhiqiang Lin,et al.  HYBRID-BRIDGE: Efficiently Bridging the Semantic Gap in Virtual Memory Introspection via Decoupled Execution and Training Memoization , 2014, NDSS 2014.

[19]  Swapna S. Gokhale,et al.  Quantifying the closeness between program components and features , 2000, J. Syst. Softw..

[20]  Stéphane Ducasse,et al.  Correlating features and code using a compact two-sided trace analysis approach , 2005, Ninth European Conference on Software Maintenance and Reengineering.

[21]  Herbert Bos,et al.  Howard: A Dynamic Excavator for Reverse Engineering Data Structures , 2011, NDSS.

[22]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.

[23]  AyersDaniel A second generation computer forensic analysis system , 2009 .

[24]  Golden G. Richard,et al.  FACE: Automated digital evidence discovery and correlation , 2008, Digit. Investig..

[25]  Xiangyu Zhang,et al.  Reuse-oriented camouflaging trojan: Vulnerability detection and attack construction , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[26]  Yangchun Fu,et al.  Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection , 2012, 2012 IEEE Symposium on Security and Privacy.