Automated mapping of large binary objects using primitive fragment type classification

Authors:
Gregory Conti;Sergey Bratus;Anna Shubina;Benjamin Sangster;Roy Ragsdale;Matthew Supan;Andrew Lichtenberg;Robert Perez-Alemany
Affiliations:
United States Military Academy at West Point, West Point, NY, United States;Dartmouth College, Hanover, NH, United States;Dartmouth College, Hanover, NH, United States;United States Military Academy at West Point, West Point, NY, United States;United States Military Academy at West Point, West Point, NY, United States;United States Military Academy at West Point, West Point, NY, United States;Skidmore College, Saratoga Springs, NY, United States;United States Military Academy at West Point, West Point, NY, United States
Venue:
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Year:
2010

Citing 7
Cited 1

Playing "Hide and Seek" with Stored Keys

FC '99 Proceedings of the Third International Conference on Financial Cryptography
Content Based File Type Detection Algorithms

HICSS '03 Proceedings of the 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9 - Volume 9
Identification and Localization of Data Types within Large-Scale File Systems

SADFE '07 Proceedings of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering
Statistical Disk Cluster Classification for File Carving

IAS '07 Proceedings of the Third International Symposium on Information Assurance and Security
SÁDI - Statistical Analysis for Data Type Identification

SADFE '08 Proceedings of the 2008 Third International Workshop on Systematic Approaches to Digital Forensic Engineering
Visual Reverse Engineering of Binary and Data Files

VizSec '08 Proceedings of the 5th international workshop on Visualization for Computer Security
File Fragment Classification-The Case for Specialized Approaches

SADFE '09 Proceedings of the 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering

WiSec 2011 poster: context-adaptive entropy analysis as a lightweight detector of zero-day shellcode on mobiles

ACM SIGMOBILE Mobile Computing and Communications Review

Quantified Score

Hi-index	0.00

Visualization

Abstract

Security analysts, reverse engineers, and forensic analysts are regularly faced with large binary objects, such as executable and data files, process memory dumps, disk images and hibernation files, often Gigabytes or larger in size and frequently of unknown, suspect, or poorly documented structure. Binary objects of this magnitude far exceed the capabilities of traditional hex editors and textual command line tools, frustrating analysis. This paper studies automated means to map these large binary objects by classifying regions using a multi-dimensional, information-theoretic approach. We make several contributions including the introduction of the binary mapping metaphor and its associated applications, as well as techniques for type classification of low-level binary fragments. We validate the efficacy of our approach through a series of classification experiments and an analytic case study. Our results indicate that automated mapping can help speed manual and automated analysis activities and can be generalized to incorporate many low-level fragment classification techniques.