Memory Carving in Embedded Devices: Separate the Wheat from the Chaff

This paper investigates memory carving techniques for embedded devices. Given that cryptographic material in memory dumps makes carving techniques inefficient, we introduce a methodology to distinguish meaningful information from cryptographic material in smallsized memory dumps. The proposed methodology uses an adaptive boosting technique with statistical tests. Experimented on EMV cards, the methodology recognized 92% of meaningful information and 98% of cryptographic material.

[1]  Michael I. Cohen Advanced carving techniques , 2007, Digit. Investig..

[2]  William F. Friedman The index of coincidence and its applications in cryptanalysis , 1987 .

[3]  Onur Koçak,et al.  Evaluation of Randomness Test Results for Short Sequences , 2010, SETA.

[4]  Adi Shamir,et al.  Playing "Hide and Seek" with Stored Keys , 1999, Financial Cryptography.

[5]  Elaine B. Barker,et al.  A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications , 2000 .

[6]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[7]  Donald Ervin Knuth,et al.  The Art of Computer Programming, Volume II: Seminumerical Algorithms , 1970 .

[8]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[9]  Trevor Hastie,et al.  Multi-class AdaBoost ∗ , 2009 .

[10]  Jean-Jacques Quisquater,et al.  ePassport: Securing International Contacts with Contactless Chips , 2008, Financial Cryptography.

[11]  David Shaw,et al.  Physical attacks against the lack of perfect forward secrecy in DECT encrypted communications and possible countermeasures , 2015, 2015 International Wireless Communications and Mobile Computing Conference (IWCMC).

[12]  Sjouke Mauw,et al.  mCarve: Carving Attributed Dump Sets , 2011, USENIX Security Symposium.

[13]  Jean-Louis Lanet,et al.  Memory Forensics of a Java Card Dump , 2014, CARDIS.

[14]  Harry Zhang,et al.  A Fast Decision Tree Learning Algorithm , 2006, AAAI.

[15]  Simon Tjoa,et al.  A Comprehensive Literature Review of File Carving , 2013, 2013 International Conference on Availability, Reliability and Security.

[16]  Przemyslaw Kazienko,et al.  Boosting-based Sequential Output Prediction , 2011, New Generation Computing.

[17]  Yoav Freund,et al.  A Short Introduction to Boosting , 1999 .

[18]  Pedro María Alcover,et al.  A New Randomness Test for Bit Sequences , 2013, Informatica.

[19]  Fatih Sulak,et al.  A New Statistical Randomness Test: Saturation Point Test , 2013 .

[20]  Sangjin Lee,et al.  A study on multimedia file carving method , 2011, Multimedia Tools and Applications.