Briefly, I'm an experimental computer scientist (aka
"hacker in professorial clothing", with optional bowtie),
with both interest and significant expertise in digital
forensics, memory forensics, reverse engineering,
malware analysis, operating systems internals,
and filesystems. In the past I worked in mobile computing,
fault-tolerant distributed systems, and computer graphics.
If you need the denser story, please see below.
My research lies in the overlap between memory forensics, operating systems internals, incident response, and reverse engineering/malware analysis. Most of my research is very applied and is concerned with how systems work at both a low level and with a high degree of detail. I am completely unapologetic about the applied nature of my research.
I am actively involved in the academic, government, and professional research communities in computer security and serve on the Executive Committee of the Digital Forensics Research Workshop, the Editorial Board of the Journal of Digital Investigation, the Editorial Board of Computers and Security (COSE), and the Editorial Board of the flagship journal of the American Academy of Forensic Sciences. I'm also a Fellow the American Academy of Forensic Sciences (AAFS). In digital forensics and memory forensics, I’ve concentrated on developing novel tools and techniques to make investigation easier, faster, and more productive for investigators. A few representative projects are detailed below. Other funded projects are mentioned in my CV.
I'm currently collaborating with Andrew Case of the Volatility Foundation, Aisha Ali-Gombe of Towson University, and a host of Ph.D., M.S., and undergraduate students on improving the reliability of memory forensics tools by developing a comprehensive memory forensics fuzzing architecture called Gaslight. We're also developing a platform for automatically delivering custom memory images and working on improved strategies for userland memory forensics. This project is supported through 2020 by NSF via SaTC: CORE: Medium: Robust Memory Forensics Techniques for Userland Malware Analysis, Award # 1703683, PI: Golden G. Richard III, $1,113,426. Andrew Case is the co-PI.
Aisha Ali-Gombe of Towson University and I are also working on some new approaches to teaching malware analysis. This effort is funded through 2018 by NSA via Introducing Active Learning to Malware Analysis Curricula, PI: Golden G. Richard III, $210,131. Aisha Ali-Gombe is the co-PI.
From 2013-2017, I collaborated with Xiangyu Zhang and Dongyan Xu from Purdue on methods for systematic investigation of advanced targeted attacks in enterprise networks. This work relies on automatic reverse engineering and instrumentation of binary executables and the establishment of connections between audit log entries, executables, and data recovered from memory and disk images to rapidly reveal the sources and attack vectors used in cyberattacks. This research was funded by NSF via the grant TWC: Medium: Collaborative: Towards a Binary-Centric Framework for Cyber Forensics in Enterprise Environments, Award # 1409534, PI: Golden G. Richard III, $511,193.
From 2010-2013, I collaborated with Irfan Ahmed and others to improve live forensics techniques and combine these with virtual machine introspection to yield powerful tools for reconstructing historical events of forensic interest and detecting malicious software. This research was funded by NSF via TC-Small-Virtual Machine Introspection-based Live Forensics for Detection of Malicious Software, Award # 1016807, PI: Golden G. Richard III, $598,664.
I’ve also recently collaborated with Carl Weems of Iowa State and Irfan Ahmed of the University of New Orleans on the psychological underpinnings of cybercrime, and how anxiety and callous traits may impact usable security, the tendency for users to be susceptible to social engineering attacks, and to perpetrate insider attacks. This work was funded by NSF via EAGER: Integrating Cognitive and Computer Science to Improve Cybersecurity: Selective Attention and Personality Traits for the Detection and Prevention of Risk, $223,022. Irfan Ahmed was the PI.
I've also worked recently with Vassil Roussev and Irfan Ahmed of the University of New Orleans on two other NSF grants, involving the use of container technologies for enhancing cybersecurity training ($300K) and the use of peer instruction in cybersecurity ($300K, and also in collaboration with Cynthia Bailey Lee, of Stanford University).
RESEARCH FOCUS (DISTANT PAST)
In 2005, I presented a paper that introduced Scalpel, a fast data carving application, which has since become one of the most widely used tools for data recovery. This was the first academic paper to address carving and spurred a large amount of academic research in this area. Scalpel is included as a standard tool in many popular incident response toolkits, such as Backtrack, and is currently being incorporated into the Sleuthkit, a popular open source investigative suite. In 2006, I received three years of funding from the National Science Foundation through the Cyber Trust program to expand the capabilities and scope of file carving. This work resulted in a number of improvements to the state-of-the-art in data recovery, including development of in-place file carving and GPU-assisted file carving.
In collaboration with Vassil Roussev, I developed a distributed computing framework for digital forensics, called DELV, that runs on commodity compute clusters and provides tremendously improved performance for large forensic targets when compared to existing tools. This framework not only accelerates current generation tasks such as keyword searches, image thumbnailing, and file carving, but also provides sufficient computing resources to enable a new generation of forensic analysis, including better image handling, evidence correlation, and detection of steganography. The paper describing DELV’s architecture and performance was the first to discuss the application of high performance computing principles to digital forensics and challenged prevailing single workstation architectures for forensics tools. Almost a decade after the initial paper describing DELV was published, the commercial forensics tool industry embraced this idea, with the introduction of multiprocessor-capable forensics software such as AccessData’s FTK. A natural followup to high performance, cluster-based digital forensics was research to improve the performance of desktop forensics tools and our solution utilized modern Graphics Processing Units (GPUs), specifically, the NVIDIA G80 and its successors, to dramatically increase performance of digital forensics techniques such as file carving. That work, in collaboration with Vico Marziale, was presented at DFRWS and was also featured by NVIDIA in its GPU computing showcase.
In the more distant past, I’ve worked in many areas of experimental computer science, including distributed computing, reliable high performance computing, computer graphics, mobile computing, sensor networks, service discovery protocols, reliable multicast, and network visualization. Highlights include:
• Improving performance of unicast and multicast routing protocols in ad hoc wireless networks (in collaboration with two of my Ph.D. students, Abdul Altalhi and Lawrence Klos).
• Design and development of a novel wireless intrusion detection system (WIDS, in collaboration with ATC-NY).
• Designing one of the first full-featured service discovery protocols for wireless sensor networks (TinySDP, in collaboration with Loren Schwiebert).
• Writing the first book on service discovery protocols (Service and Device Discovery: Protocols and Programming, which I was invited to write by McGraw-Hill), which covers Jini, UPnP, SLP, and Bluetooth SDP.
• Design and development of a network architecture to support interoperability between Jini and Universal Plug and Play service discovery suites.
• Writing a textbook on mobile computing with Frank Adelstein, Sandeep Gupta, and Loren Schwiebert (Fundamentals of Mobile and Pervasive Computing, McGraw-Hill).
• Development of Bessie, a network topology generation and visualization tool that supported some of my earlier research in ad hoc networking protocols.
• The first scheme and first paper on using message logging to reduce checkpointing overhead in reliable distributed shared memory (DSM) systems.