Semester of Graduation
Master of Science in Computer Science (MSCS)
Computer Science and Engineering
The analysis of the volatile memory (RAM) of a computer system, known as memory forensics, is a critical component of modern digital forensics investigations. Since the evidence provided by memory forensics is vital, it is necessary for there to be automated solutions that implement the analysis. Volatility is the most widely used memory forensics framework and also contains the most functionality of all tools publicly available. Volatility, as well as all other memory forensics frameworks, are extremely complex software systems as they must parse a substantial number of in-memory data structures and their associated values. Given the reliance on memory forensics during digital investigations, robust automation of artifact extraction and presentation is required. In this study, novel methods for scalable fuzz testing were developed and the implementations of these methods were thoroughly evaluated against the Volatility framework. Fuzz testing is a technique in which a target program is intentionally fed faulty data in order to discover whether it enters an unexpected state during processing. The developed fuzzer generates thousands of mutations, each of which is specifically generated to stress test the algorithms of memory forensic frameworks. Since the developed library of mutation is so extensive, complete fuzz testing requires copious amounts of compute time and memory. To handle these requirements in a scalable and flexible manner, the developed system was designed to evenly distribute all resources, even when scaled to hundreds of compute cores. Distributed fuzzing of Volatility using the developed fuzz framework led to the discovery of many issues in Volatility's analysis engine, including it being vulnerable to resource exhaustion attacks, silent crashes, and unhandled exceptions.
Shahmirza, Arian Dokht, "High Performance Fuzz Testing of Memory Forensics Frameworks" (2019). LSU Master's Theses. 4968.