Projet de recherche doctoral numero :6829


Date depot: 14 février 2020
Titre: IoT Memory forensics
Directeur de thèse: Davide BALZAROTTI (Eurecom)
Domaine scientifique: Sciences et technologies de l'information et de la communication
Thématique CNRS : Non defini

Resumé: The thesis focuses on memory analysis, which is one of the more recent approaches used to inspect a compromised system and which is rapidly becoming one of the most important part of digital forensic investigations. In a typical memory forensic scenario the analyst first collects an image of the entire physical memory (RAM) of the system to be analyzed (often called a memory dump) then, using dedicated tools on it, designed to overcome the semantic gap, he can reconstruct both the operating system and process artifacts, which are present into the physical memory. This is typically done by locating a number of key kernel objects used as starting points to follow pointers and walk linked structures to reach other relevant data. Unfortunately, all rules and heuristics used today to analyze a system memory are hand-picked by forensics experts over the course of many years and support only a couple of mainstream operating systems. To mitigate this problem, the main goal of this thesis is to propose new tools and techniques for the analysis of memories acquired on emerging systems and architectures (like IoT systems) and to investigate the design of novel cross-platform digital forensics and incident response solutions. This ambitious goal will require to rethink the way we approach memory forensics, to replace handwritten rules with automated solutions that can operate when either the operating system or its data structures are unknown to the analyst.

Doctorant.e: Oliveri Andrea