MCarve: Carving attributed dump sets

Ton van Deursen, Sjouke Mauw, Sǎsa Radomirović

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Carving is a common technique in digital forensics to recover data from a memory dump of a device. In contrast to existing approaches, we investigate the carving problem for sets of memory dumps. Such a set can, for instance, be obtained by dumping the memory of a number of smart cards or by regularly dumping the memory of a single smart card during its lifetime. The problem that we define and investigate is to determine at which location in the dumps certain attributes are stored. By studying the commonalities and dissimilarities of these dumps, one can significantly reduce the collection of possible locations for such attributes. We develop algorithms that support in this process, implement them in a prototype, and apply this prototype to reverse engineer the data structure of a public transportation card.

Original languageEnglish
Title of host publicationProceedings of the 20th USENIX Security Symposium
PublisherUSENIX Association
Pages107-121
Number of pages15
ISBN (Electronic)9781931971874
Publication statusPublished - 2011
Event20th USENIX Security Symposium 2011 - San Francisco, United States
Duration: 8 Aug 201112 Aug 2011

Conference

Conference20th USENIX Security Symposium 2011
CountryUnited States
CitySan Francisco
Period8/08/1112/08/11

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Fingerprint Dive into the research topics of 'MCarve: Carving attributed dump sets'. Together they form a unique fingerprint.

  • Cite this

    van Deursen, T., Mauw, S., & Radomirović, S. (2011). MCarve: Carving attributed dump sets. In Proceedings of the 20th USENIX Security Symposium (pp. 107-121). USENIX Association.