Further research in memory forensics could help investigators gather evidence even after a computer is unplugged.
University computer science professor and principal investigator Golden Richard III and his team received a $1.1 million grant in September from the National Science Foundation to study memory forensics.
Memory forensics looks at what is lost when a computer is unplugged and the applications are no longer running, Richard said.
“A very simple example would be like in a suicide case. Maybe someone opens Microsoft Word, they start typing the suicide note, they decide ‘I’m not going to make a suicide note, I’ll just close Word,’ they didn’t save it,” Richard said. “The policemen come, pull the plug out, there’s no evidence at all now. Memory forensics could find the remnants of the suicide note in the memory of the computer even though he didn’t save it to the hard drive.”
Richard began working with memory forensics around 2005. He was one of the organizers of a digital forensics research workshop and was given a challenge to create the field of memory forensics.
“Memory forensics in 2005, the techniques and tools were really simple, so they were pretty easy to understand,” Richard said. “That stuff has gotten so complicated now that code is super sophisticated and it’s not clear that
in all cases it’s completely accurate.”
Richard is working closely with former University student Andrew Case along with other students, both undergraduates and graduates.
The team is using the grant to create “Gaslight.” “Gaslight” is a software program that presents data to memory forensics tools that is deliberately corrupted to try to stress-test the tools and break them. The goal is to break the tools so it can be fixed before it is used in a real case and could potentially corrupt evidence.
Malware will deliberately hide from memory forensics software to persist on the computer, Richard said.
“One of the biggest uses of memory forensics these days is uncovering really bad computer viruses,” Richard said. “The stuff is getting really hard to detect now. Stuff like antivirus works like 60 to 70 percent of the time.”
The project will continue through 2020 with the goal of making memory forensics more reliable and resilient.
Richard and others are in the process of submitting another grant to combine memory forensics and machine learning to create an easier way of reading the output of the forensic tool, Richard said.
Computer science professor receives grant to study memory forensics
November 14, 2017
More to Discover