Automated Memory Forensics: Analyzing Data Structures from Memory Dumps

Matteo Dell'Amico (Univ. of Genoa) will give a seminar at 14:00 on April 24th, 2025.

This event is hybrid.
🗓 Date & Time: Thursday, April 24, 2025, at 14:00
📍 Location: Room 1537 Germund Dahlquist, KTH
🌐 Online: https://kth-se.zoom.us/j/69916890097

Abstract
This talk presents a memory forensics approach that reconstructs data structures from memory dumps of running software, without requiring source code or prior system information. Introduced by Oliveri et al. at NDSS 2023, the approach identifies and extracts common data structures—such as linked lists, trees, and arrays—providing insight into how software organizes its information. While the original goal was to perform memory forensics tasks at the OS level (e.g., listing running processes or open files), we recently experimented with techniques to apply the same approach in the userspace, to aid reverse engineering by revealing the internal organization of data within a binary. Attendees will learn about the theoretical foundations and practical considerations of this approach and explore its potential applications in analyzing software data structures.

Speaker
Matteo Dell'Amico is an associate professor at the University of Genoa (Italy). He previously worked in France at EURECOM and in the research groups of Symantec/NortonLifeLock. His research interests focus mainly on distributed systems and computer security.

Attending
We will be on the 5th floor of E-house about 10 minutes before the session starts to guide you to the room.