Description: State-of-the-art memory forensics involves signature-based scanning of memory images to uncover data structure instances of interest to investigators. A largely unaddressed challenge is that investigators may not be able to interpret the content of data structure fields, even with a deep understanding of the data structure’s syntax and semantics. This is very common for data structures with application-specific encoding, such as those representing images, figures, passwords, and formatted file contents. For example, an investigator may know that a buffer field is holding a photo image, but still cannot display (and hence understand) the image. We call this the data structure content reverse engineering challenge. In this paper, we present DSCRETE, a system that enables automatic interpretation and rendering of in-memory data structure contents. DSCRETE is based on the observation that the application in which a data structure is defined usually contains interpretation and rendering logic to generate human-understandable output for that data structure. Hence DSCRETE aims to identify and reuse such logic in the program’s binary and create a “scanner+renderer” tool for scanning and rendering instances of the data structure in a memory image. Different from signature-based approaches, DSCRETE avoids reverse engineering data structure signatures. Our evaluation with a wide range of real-world application binaries shows that DSCRETE is able to recover a variety of application data—e.g., images, figures, screenshots, user accounts, and formatted files and messages—with high accuracy. The raw contents of such data would otherwise be unfathomable to human investigators.
For More Information please visit : - https://www.usenix.org/conference/usenixsecurity14
Tags:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.