Convicted by Memory: Recovering Spatial-Temporal Digital Evidence from Memory Images

Brendan Saltaformaggio, Assistant Professor, School of Electrical Computer Engineering, Georgia Institute of Technology


Memory forensics is becoming a crucial capability in modern cyber forensic investigations. In particular, memory forensics can reveal "up to the minute" evidence of a device's usage, often without requiring a suspect's password to unlock the device, and it is oblivious to any persistent storage encryption schemes. Prior to my work, researchers and investigators alike considered raw data-structure recovery the ultimate goal of memory forensics. This, however, was far from sufficient as investigators were still largely unable to understand the content of the recovered evidence; hence, unlocking the true potential of such evidence in memory images remained an open research challenge.

In this talk, I will focus on my research efforts which break from traditional data-recovery-oriented forensics and instead leverage program analysis to automatically locate, reconstruct, and render spatial-temporal evidence from memory images. I will describe the evolution of this work, starting with the reuse of binary program components to overcome the burden of recovering and understanding highly probative data structures, e.g., photos, chat contents, and edited documents. Then, shifting away from the recovery of data structures, I will introduce spatial-temporal evidence recovery, culminating in the instrumentation of program executions to recreate full sequences of previous smartphone app screens, all from only a single snapshot of a device's memory. Finally, to highlight the role of memory forensics in my overall research agenda, I will briefly present my ongoing and future work in integrated cyber/cyber-physical attack defense and forensics.

Brendan Saltaformaggio, Assistant Professor, School of Electrical Computer Engineering, Georgia Institute of Technology

Dr. Brendan Saltaformaggio is an Assistant Professor in the School of Electrical and Computer Engineering at Georgia Tech. He is the Director of the Cyber Forensics Innovation (CyFI) Laboratory, whose mission is to further the investigation of advanced cyber crimes and the analysis and prevention of next-generation malware attacks, particularly in mobile and IoT environments. This research has led to numerous publications at top cyber security venues, including a Best Student Paper Award from the 2014 USENIX Security Symposium.
