• Speaker: Robert Walls (UMass Amherst)
  • Date: October 25, 2013 (Friday)
  • Room: CIT 368
  • Title: "Forensic Triage for Mobile Phones"
  • Abstract:
Forensic investigators are often tasked with extracting evidence from mobile phones and other embedded systems; however, too often the exact data format used on the device has never been seen before. Hence, a manual process of reverse engineering begins — a dead-end for practitioners that need information quickly. Recent research on automated reverse engineering is largely focused on the instrumentation of the system and executables. While accurate and reasonable for the common Windows/Intel desktop platform, construction of a new instrumentation system for every phone architecture-OS combination in use would require significant time for each and expertise not present in the practitioner community. In this talk, I will focus on a data-driven approach to phone forensic triage. We seek to quickly parse data from the phone without analyzing or instrumenting software. We aim to obtain high quality results, even for phones that have not been previously encountered by our system. Our solution, called DEC0DE, leverages success from already examined phones in the form of a flexible library of probabilistic finite state machines. Our main insight is that the variety of phone models and data formats can be leveraged for recovering information from new phones.

Robert Walls is a Ph.D. candidate in the School of Computer Science at the University of Massachusetts working with Prof. Brian Levine. His research aims to advance digital forensics by providing law enforcement with novel techniques for investigating crimes. Previously, he studied at The University of Texas at Arlington where he focused on network security.