Abstract
Carving is a common technique in digital forensics to recover data from a memory dump of a device. In contrast to existing approaches, we investigate the carving problem for sets of memory dumps. Such a set can, for instance, be obtained by dumping the memory of a number of smart cards or by regularly dumping the memory of a single smart card during its lifetime. The problem that we define and investigate is to determine at which location in the dumps certain attributes are stored. By studying the commonalities and dissimilarities of these dumps, one can significantly reduce the collection of possible locations for such attributes. We develop algorithms that support in this process, implement them in a prototype, and apply this prototype to reverse engineer the data structure of a public transportation card.
Original language | English |
---|---|
Title of host publication | Proceedings of the 20th USENIX Security Symposium |
Place of Publication | United States |
Publisher | USENIX Association |
Pages | 107-121 |
Number of pages | 15 |
ISBN (Print) | 9781931971874 |
Publication status | Published - 2011 |
Event | 20th USENIX Security Symposium - San Francisco, United States Duration: 8 Aug 2011 → 12 Aug 2011 https://www.usenix.org/legacy/events/sec11/ |
Conference
Conference | 20th USENIX Security Symposium |
---|---|
Abbreviated title | USENIX Security '11 |
Country/Territory | United States |
City | San Francisco |
Period | 8/08/11 → 12/08/11 |
Internet address |