Discovering Semantic Data of Interest from Un-mappable Memory with Confidence

Uncovering semantic data of interest in memory pages without memory mapping information is an important capability in computer forensics. Existing memory mappingguided techniques do not work in that scenario as pointers in the un-mappable memory cannot be resolved and navigated. To address this problem, we present a probabilistic inference-based approach called DIMSUM to enable the recognition of data structure instances from un-mappable memory. Given a set of memory pages and the specification of a target data structure, DIMSUM will identify instances of the data structure in those pages with quantifiable confidence. More specifically, it builds graphical models based on boolean constraints generated from the data structure and the memory page contents. Probabilistic inference is performed on the graphical models to generate results ranked with probabilities. Our experiments with realworld applications on both Linux and Android platforms show that DIMSUM achieves higher effectiveness than nonprobabilistic approaches without memory mapping information.

[1]  William A. Arbaugh,et al.  FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory , 2006, Digit. Investig..

[2]  Abhinav Srivastava,et al.  Robust signatures for kernel data structures , 2009, CCS.

[3]  Aditya V. Nori,et al.  Probabilistic, modular and scalable inference of typestate specifications , 2011, PLDI '11.

[4]  Tal Garfinkel,et al.  Understanding data lifetime via whole system simulation , 2004 .

[5]  Daniel Pierre Bovet,et al.  Understanding the Linux Kernel , 2000 .

[6]  David Brumley,et al.  TIE: Principled Reverse Engineering of Types in Binary Programs , 2011, NDSS.

[7]  Paul Movall,et al.  Linux Physical Memory Analysis , 2005, USENIX Annual Technical Conference, FREENIX Track.

[8]  Benjamin Livshits,et al.  Merlin: specification inference for explicit information flow problems , 2009, PLDI '09.

[9]  Judea Pearl,et al.  Probabilistic reasoning in intelligent systems - networks of plausible inference , 1991, Morgan Kaufmann series in representation and reasoning.

[10]  Brian Neil Levine,et al.  Forensic Triage for Mobile Phones with DEC0DE , 2011, USENIX Security Symposium.

[11]  Andreas Schuster,et al.  Searching for processes and threads in Microsoft Windows memory dumps , 2006, Digit. Investig..

[12]  Ewa Huebner,et al.  User data persistence in physical memory , 2007, Digit. Investig..

[13]  Eoghan Casey,et al.  Extracting Windows command line details from physical memory , 2010 .

[14]  Carsten Maartmann-Moe,et al.  The persistence of memory: Forensic identification and extraction of cryptographic keys , 2009, Digit. Investig..

[15]  William T. Freeman,et al.  Understanding belief propagation and its generalizations , 2003 .

[16]  Xuxian Jiang,et al.  Mapping kernel objects to enable systematic integrity checking , 2009, CCS.

[17]  Xuxian Jiang,et al.  SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures , 2011, NDSS.

[18]  Golden G. Richard,et al.  FACE: Automated digital evidence discovery and correlation , 2008, Digit. Investig..

[19]  Samuel T. King,et al.  Digging for Data Structures , 2008, OSDI.

[20]  Alexes Butler,et al.  Microsoft Research Cambridge , 2013 .

[21]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[22]  Herbert Bos,et al.  Howard: A Dynamic Excavator for Reverse Engineering Data Structures , 2011, NDSS.

[23]  Alex Pentland,et al.  Bayesian face recognition , 2000, Pattern Recognit..

[24]  Dawson R. Engler,et al.  From uncertainty to belief: inferring the specification within , 2006, OSDI '06.

[25]  Andreas Zeller,et al.  Localizing Bugs in Program Executions with Graphical Models , 2009, NIPS.

[26]  Xiangyu Zhang,et al.  Automatic Reverse Engineering of Data Structures from Binary Execution , 2010, NDSS.

[27]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.