Discovering Semantic Data of Interest from Un-mappable Memory with Confidence

Author(s): Zhiqiang Lin, Junghwan Rhee, Chao Wu, Xiangyu Zhang and Dongyan Xu

Download: Paper (PDF)

Date: 7 Feb 2012

Document Type: Briefing Papers

Additional Documents: Slides

Associated Event: NDSS Symposium 2012

Abstract:

Memory pages belonging to a terminated process may remain in a system for non-trivial period of time. Discovering semantic information from those memory pages is useful in cyber-forensics. We present a technique called DIMSUM for recognizing data structure instances — without memory mapping information. Via probabilistic inference, DIMSUM is able to identify semantic data of interest with quantifiable confidence.