ABSTRACT: Traditional digital forensics techniques focus on analyzing persistent disk images for recovering evidence data and information. In this talk, I will present our research efforts at a new frontier: uncovering past user activities from a single snapshot of the volatile memory (i.e. a "window to the past"). More specifically, using Android as our subject platform, I will first show the reconstruction and re-rendering of the most recent GUIs of apps running in the background, by piecing together hundreds and thousands of disconnected data structures that previously represented a GUI screen. Then I will demonstrate the (more powerful) capability of recreating a sequence of previously displayed GUI screens of any app, via program instrumentation and trans-context execution. Finally, I will present our latest effort in device-wide sequencing of user activities across apps, by exploiting the temporal-spatial correlation in memory allocation. All techniques presented are app-agnostic, requiring no app-specific reverse engineering or modification.
BIOGRAPHY: Dongyan Xu is a professor of computer science at Purdue University. He is also the Interim Director of Purdue's Center for Education and Research in Information Assurance and Security (CERIAS). Dongyan's research spans cyber and cyber-physical systems security and forensics, cloud computing, and virtualization technology, with current projects focusing on autonomous vehicle controller security, APT analytics and forensics, and commodity software transformation for security. His research has long been supported by both government and industry. He is the co-author of seven award-winning papers at top conferences in security and cloud computing, including CCS, NDSS, USENIX Security, RAID, and SoCC. This year he serves as the program co-chair of CCS 2017. Dongyan received his Ph.D. in computer science from the University of Illinois at Urbana-Champaign in 2001, under the direction of Prof. Klara Nahrstedt.