RESEARCH INTERESTS

 

Briefly, I'm an experimental computer scientist (aka

"hacker in professorial clothing", with optional bowtie),

with both interest and significant expertise in digital
forensics
, memory forensics, reverse engineering,

malware analysis, operating systems internals,

and filesystems.  In the past I worked in mobile computing,

fault-tolerant distributed systems, and computer graphics.

If you need the denser story, please see below.

 

PUBLICATIONS

 

For a list of publications, click here.

 

CV

 

For a complete CV, click here.

 

For a shorter version of my CV (which may not be as up-to-date as the complete one), click here.

 

CURRENT PROJECTS

 

My research lies in the overlap between memory forensics, operating systems internals, incident response, and reverse engineering/malware analysis.  Most of my research is very applied and is concerned with how systems work at both a low level and with a high degree of detail. I am completely unapologetic about the applied nature of my research.  I'm also highly skeptical of "click bait" research which receives tons of press (or generates tons of publications) but has little practical impact.

 

I am actively involved in the academic, government, and professional research communities in computer security and serve on the Executive Committee of the Digital Forensics Research Workshop, the Editorial Board of the Journal of Digital Investigation, and the Editorial Board of Computers and Security (COSE).  I'm also a Fellow the American Academy of Forensic Sciences (AAFS).  In digital forensics and memory forensics, I’ve concentrated on developing novel tools and techniques to make investigation easier, faster, and more productive for investigators. A few representative projects are detailed below.  Other funded projects are mentioned in my CV.

 

My current focus is on developing scalpel3, a massively threaded architecture for recovery of fragmented data (e.g., from damaged filesystems or damaged flash media).  Yes, I know it's an NP-Hard problem :).  Heuristics to the rescue.  scalpel3

is a complete rewrite of the open source scalpel file carver, which I created in 2005, and which has since become a widely used tool in data recovery.  The scalpel paper was the first academic paper to address carving and spurred a large amount of academic research in the area.  I then enhanced scalpel in collaboration with Vico Marziale--we added multithreading, in-place file carving, GPU acceleration, and lots more.  The emphasis for scalpel3 is on *practical* solutions to solving the data fragmentation problem for selected file types and making this process as fast as possible on modern hardware.  It's not open sourced yet, but will be in the relatively near future.

 

I'm also hard at work on a cybersecurity book with Chris Hoofnagle of Berkeley, which should be published by Wiley in 2024.

 

Finally, I'm still involved in interesting (to me :) research in memory forensics, malware analysis, reverse engineering, code attribution, HPC, and a bunch of other applied areas.

 

SOME PAST PROJECTS

 

I collaborated with Andrew Case of the Volatility Foundation, Aisha Ali-Gombe of (then at Towson University), and a host of Ph.D., M.S., and undergraduate students on improving the reliability of memory forensics tools by developing a comprehensive memory forensics fuzzing architecture called Gaslight.  We're also developing a platform for automatically delivering custom memory images and working on improved strategies for userland memory forensics.  This project is supported through 2020 by NSF via SaTC: CORE: Medium: Robust Memory Forensics Techniques for Userland Malware Analysis, Award # 1703683, PI: Golden G. Richard III, $1,113,426 and by our Scholarships for Service (SFS) grant.  We have two additional NSF grants pending to continue this work.  Numerous academic papers and two Blackhat talks are the result of a lot of effort in this area.

 

Aisha Ali-Gombe and I also worked on some new approaches to teaching malware analysis.  This effort was funded by NSA via Introducing Active Learning to Malware Analysis Curricula, PI: Golden G. Richard III, $210,131.  Aisha Ali-Gombe is the co-PI.

 

From 2013-2017, I collaborated with Xiangyu Zhang and Dongyan Xu from Purdue on methods for systematic investigation of advanced targeted attacks in enterprise networks. This work relies on automatic reverse engineering and instrumentation of binary executables and the establishment of connections between audit log entries, executables, and data recovered from memory and disk images to rapidly reveal the sources and attack vectors used in cyberattacks.  This research was funded by NSF via the grant  TWC: Medium: Collaborative: Towards a Binary-Centric Framework for Cyber Forensics in Enterprise Environments, Award # 1409534, PI: Golden G. Richard III, $511,193.

 

From 2010-2013, I collaborated with Irfan Ahmed and others to improve live forensics techniques and combine these with virtual machine introspection to yield powerful tools for reconstructing historical events of forensic interest and detecting malicious software.  This research was funded by NSF via TC-Small-Virtual Machine Introspection-based Live Forensics for Detection of Malicious Software, Award # 1016807, PI: Golden G. Richard III, $598,664.

 

In the past I've also collaborated with Carl Weems of Iowa State and Irfan Ahmed of the University of New Orleans on the psychological underpinnings of cybercrime, and how anxiety and callous traits may impact usable security, the tendency for users to be susceptible to social engineering attacks, and to perpetrate insider attacks.  This work was funded by NSF via EAGER: Integrating Cognitive and Computer Science to Improve Cybersecurity: Selective Attention and Personality Traits for the Detection and Prevention of Risk, $223,022. Irfan Ahmed was the PI.

 

In the not too distant past I also worked recently with Vassil Roussev and Irfan Ahmed of the University of New Orleans on two other NSF grants, involving the use of container technologies for enhancing cybersecurity training ($300K) and the use of peer instruction in cybersecurity ($300K, and also in collaboration with Cynthia Bailey Lee, of Stanford University).

 

In collaboration with Vassil Roussev, I developed a distributed computing framework for digital forensics, called DELV, that runs on commodity compute clusters and provides tremendously improved performance for large forensic targets when compared to existing tools.  This framework not only accelerates current generation tasks such as keyword searches, image thumbnailing, and file carving, but also provides sufficient computing resources to enable a new generation of forensic analysis, including better image handling, evidence correlation, and detection of steganography. The paper describing DELV’s architecture and performance was the first to discuss the application of high performance computing principles to digital forensics and challenged prevailing single workstation architectures for forensics tools.  Almost a decade after the initial paper describing DELV was published, the commercial forensics tool industry embraced this idea, with the introduction of multiprocessor-capable forensics software such as AccessData’s FTK.  A natural followup to high performance, cluster-based digital forensics was research to improve the performance of desktop forensics tools and our solution utilized modern Graphics Processing Units (GPUs), specifically, the NVIDIA G80 and its successors, to dramatically increase performance of digital forensics techniques such as file carving.  That work, in collaboration with Vico Marziale, was presented at DFRWS and was also featured by NVIDIA in its GPU computing showcase.

 

In the even more distant past, I’ve worked in many areas of experimental computer science, including distributed computing, reliable high performance computing, computer graphics, mobile computing, sensor networks, service discovery protocols, reliable multicast, and network visualization.  Highlights include:

 

• Improving performance of unicast and multicast routing protocols in ad hoc wireless networks (in collaboration with two of my Ph.D. students, Abdul Altalhi and Lawrence Klos).

 

• Design and development of a novel wireless intrusion detection system (WIDS, in collaboration with ATC-NY).

 

• Designing one of the first full-featured service discovery protocols for wireless sensor networks (TinySDP, in collaboration with Loren Schwiebert).

 

• Writing the first book on service discovery protocols (Service and Device Discovery: Protocols and Programming, which I was invited to write by McGraw-Hill), which covers Jini, UPnP, SLP, and Bluetooth SDP.

 

• Design and development of a network architecture to support interoperability between Jini and Universal Plug and Play service discovery suites.

 

• Writing a textbook on mobile computing with Frank Adelstein, Sandeep Gupta, and Loren Schwiebert (Fundamentals of Mobile and Pervasive Computing, McGraw-Hill).

 

• Development of Bessie, a network topology generation and visualization tool that supported some of my earlier research in ad hoc networking protocols.

 

• The first scheme and first paper on using message logging to reduce checkpointing overhead in reliable distributed shared memory (DSM) systems.