mCarve: Carving Attributed Dump Sets
Ton van Deursen, Sjouke Mauw, and Saša Radomirović, University of Luxembourg
Carving is a common technique in digital forensics to recover data from a memory dump of a device. In contrast to existing approaches, we investigate the carving problem for sets of memory dumps. Such a set can, for instance, be obtained by dumping the memory of a number of smart cards or by regularly dumping the memory of a single smart card during its lifetime. The problem that we define and investigate is to determine at which location in the dumps certain attributes are stored. By studying the commonalities and dissimilarities of these dumps, one can significantly reduce the collection of possible locations for such attributes. We develop algorithms that support in this process, implement them in a prototype, and apply this prototype to reverse engineer the data structure of a public transportation card.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Ton van Deursen and Sjouke Mauw and Sa{\v s}a Radomirovi{\'c}},
title = {{mCarve}: Carving Attributed Dump Sets},
booktitle = {20th USENIX Security Symposium (USENIX Security 11)},
year = {2011},
address = {San Francisco, CA},
url = {https://www.usenix.org/conference/usenix-security-11/mcarve-carving-attributed-dump-sets},
publisher = {USENIX Association},
month = aug
}