da/sec scientific talk on Memory Forensics

Topic: Evaluating and extending Hierarchical Bloom Filter Trees for forensic purposes

by Patrick Schmitt, Lorenz Liebler
D19/2.03a, October 18, 2018 (Thursday), 12.00 noon

Keywords — Memory Carving, Database Lookup Problem

Abstract

Memory images provide valuable information to a forensic investigator. Those images can be examined on black- or white-listed data. Several storing and lookup strategies have been developed over the years to cope with the growing amount of data. The techniques are difficult to compare as they originate from different domains with individual requirements and usable features. In this talk we compare different technqiues, discuss enhancements and evaluate the performance of three different implementations. In addition, we present new integrations of multihit-prevention approaches, which deal with the matching of common blocks (i.e., fragments shared in multiple files).