Trace-free memory data structure forensics via past inference and future speculations

Pengfei Sun, Rui Han, Mingbo Zhang, Saman Zonouz

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Scopus citations


A yet-to-be-solved but very vital problem in forensics analysis is accurate memory dump data type reverse engineering where the target process is not a priori specified and could be any of the running processes within the system. We present REVIVER, a lightweight system-wide solution that extracts data type information from the memory dump without its past execution traces. REVIVER constructs the dump's accurate data structure layout through collection of statistical information about possible past traces, forensics inspection of the present memory dump, and speculative investigation of potential future executions of the suspended process. First, REVIVER analyzes a heavily instrumented set of execution paths of the same executable that end in the same state of the memory dump (the eip and call stack), and collects statistical information the potential data structure instances on the captured dump. Second, REVIVER uses the statistical information and performs a word-byword data type forensics inspection of the captured memory dump. Finally, REVIVER revives the dump's execution and explores its potential future execution paths symbolically. REVIVER traces the executions including library/system calls for their known argument/ return data types, and performs backward taint analysis to mark the dump bytes with relevant data type information. REVIVER's experimental results on real-world applications are very promising (98.1%), and show that REVIVER improves the accuracy of the past trace-free memory forensics solutions significantly while maintaining a negligible runtime performance overhead (1.8%).

Original languageEnglish (US)
Title of host publicationProceedings - 32nd Annual Computer Security Applications Conference, ACSAC 2016
PublisherAssociation for Computing Machinery
Number of pages13
ISBN (Electronic)9781450347716
StatePublished - Dec 5 2016
Event32nd Annual Computer Security Applications Conference, ACSAC 2016 - Los Angeles, United States
Duration: Dec 5 2016Dec 9 2016

Publication series

NameACM International Conference Proceeding Series


Other32nd Annual Computer Security Applications Conference, ACSAC 2016
Country/TerritoryUnited States
CityLos Angeles

All Science Journal Classification (ASJC) codes

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications


Dive into the research topics of 'Trace-free memory data structure forensics via past inference and future speculations'. Together they form a unique fingerprint.

Cite this