Computer Science Professor Awarded $1 Million-Plus Grant by NSF to Study Memory Forensics

11/7/2017Golden Richard

BATON ROUGE – LSU Computer Science Professor Golden Richard III has long been at the forefront of memory forensics research, well past its beginnings in academia more than a decade ago.

Since then, the issues of data breaches, crippling viruses, etc., have seemingly outpaced solutions. Richard’s work on the subject, however – recently aided by a more than $1.1 million grant from the National Science Foundation’s Secure & Trustworthy Cyberspace program – seeks to close that gap.

“Traditional digital forensics involves searching storage devices for digital evidence that might be useful in civil or criminal litigation or in trying to understand whether a system has been attacked,” said Richard, who also serves as associate director for cybersecurity at LSU's Center for Computation and Technology, where he's conducting his work. “Memory forensics involves adding the contents of RAM to this search space.

“Ordinarily, if a system is shut down for investigation so that hard drives can be removed and copied, etc., then the volatile state of the computer is lost – that’s the data in the RAM. Memory forensics involves taking a copy of RAM and finding forensic artifacts there, such as which applications were recently running, network connections, signs of malware infection, etc.”

Richard and his team – which consists of LSU students and main collaborator Andrew Case, who was deeply involved in the creation and maintenance of Volatility, one of the most famous open-source memory forensics tools – are addressing three important research issues in memory forensics through this project.

The first is providing access to data that describes what a computer system should look like, making it easier to determine if it has been infected with malware. The second is using their testing tool, “Gaslight,” to force other memory forensics tools to reveal the mistakes they make, which can then be fixed. The third is developing better memory forensic techniques to detect certain kinds of malware.

In the end, Richard said, the work will be integrated into Volatility so that it can benefit other researchers and cybersecurity practitioners.


###

Contact: Joshua Duplechain, Director of Communications, 225-578-5706 (o), josh@lsu.edu