Golden G. Richard IIILouisiana State University | LSU · Department of Computer Science (Engineering)
Golden G. Richard III
Ph.D.
About
97
Publications
65,738
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
2,217
Citations
Introduction
Golden G. Richard III is a cybersecurity researcher and teacher and a Fellow of the American Academy of Forensic Sciences. He has over 35 years of practical experience in computer systems and computer security and is a devoted advocate for applied cybersecurity education. He holds a TS/SCI security clearance and supports NSA's CAE-CO internship program, teaching memory forensics, vulnerability analysis, and other topics to cleared interns. His primary research interests are memory forensics, digital forensics, malware analysis, reverse engineering, and operating systems.
Additional affiliations
January 2017 - present
LSU
Position
- Professor (Full)
Description
- Digital forensics, malware analysis, reverse engineering, memory forensics operating systems
Education
August 1988 - December 1994
Publications
Publications (97)
Memory analysis is a digital forensics technique whose goal is to model a computer system's state based solely on the analysis of a snapshot of physical memory (RAM). Memory forensics is frequently employed in incident response to detect and analyze modern malware and attack frameworks. Memory forensics is a particularly powerful tool for analyzing...
Memory Forensics is one of the most important emerging areas in computer forensics. In memory forensics, analysis of userland memory is a technique that analyses per-process runtime data structures and extracts significant evidence for application-specific investigations. In this research, our focus is to examine the critical challenges faced by pr...
This poster details the macOS Userland Runtime analysis using the Objective-C and Swift data structures. It documents our efforts to create memory forensic tools to investigate the macOS runtime.
The performance of partially synchronous BFT-based consensus protocols is highly dependent on the primary node. All participant nodes in the network are blocked until they receive a proposal from the primary node to begin the consensus process. Therefore, an honest but slack node (with limited bandwidth) can adversely affect the performance when se...
The continued rise of Apple's macOS in both the home and workplace has led to a significant rise in the capabilities of both malware and attacker toolkits that target the operating system and its users. Over the last several years there have been numerous documented instances of macOS users being targeted by governments, intelligence agencies, and...
The value of memory analysis during digital forensics, incident response, and malware investigations has been realized for over a decade. The power of memory forensics is based on the fact that volatile memory contains a substantial number of artifacts that are simply never recorded to disk or sent across the network in plaintext form. Orderly reco...
Advances in malware development have led to the widespread use of attacker toolkits that do not leave any trace in the local filesystem. This negatively impacts traditional investigative procedures that rely on filesystem analysis to reconstruct attacker activities. As a solution, memory forensics has replaced filesystem analysis in these scenarios...
The fields of digital forensics and incident response have seen significant growth over the last decade due to the increasing threats faced by organizations and the continued reliance on digital platforms and devices by criminals. This rise has coincided with a significant and continued increase in the size, complexity, and number of digital forens...
Memory forensics is the examination of volatile memory (RAM) for artifacts related to a digital investigation. Memory forensics has become mainstream in recent years because it allows recovery of a wide variety of artifacts that are never written to the file system and are therefore not available when performing traditional filesystem forensics. To...
Over the past few decades, rapid changes in technology have driven a significant increase in the amount and types of data stored on and processed by digital devices. Digital devices may be used in the commission of numerous criminal activities, including unauthorized data exfiltration, fraud, employee misconduct, kidnapping, child pornography, murd...
The use of memory forensics is becoming commonplace in digital investigation and incident response, as it provides critically important capabilities for detecting sophisticated malware attacks, including memory-only malware components. In this paper, we concentrate on improving analysis of API hooks, a technique commonly employed by malware to hija...
Byzantine Fault Tolerant (BFT) protocols have been used in blockchains due to their high performance and fast block acceptance. However, their weakness is a lack of scalability to support a large number of nodes in the network due to message demanding broadcasts. There have been recent improvements to the classic Practical Byzantine Fault Tolerant...
Byzantine Fault Tolerant (BFT) consensus exhibits higher throughput in comparison to Proof of Work (PoW) in blockchains. But BFT-based protocols suffer from scalability problems with respect to the number of replicas in the network. The main reason for this limitation is the quadratic message complexity of BFT protocols. Previously, proposed soluti...
Interest in the individual differences underlying end user computer security behavior has led to the development of a multidisciplinary field of research known as behavioral information security. An important gap in knowledge and the motivation for this research is the development of ways to measure secure and insecure cyber behavior for research a...
The Windows Subsystem for Linux (WSL) was first included in the Anniversary Update of Microsoft's Windows 10 operating system and supports execution of native Linux applications within the host operating system. This integrated support of Linux executables in a Windows environment presents challenges to existing memory forensics frameworks, such as...
The growing threat to user privacy by Android applications (app) has tremendously increased the need for more reliable and accessible analysis techniques. This paper presents AspectDroid¹ —an offline app-level hybrid analysis system designed to investigate Android applications for possible unwanted activities. It leverages static bytecode instrumen...
Memory forensics is now a standard component of digital forensic investigations and incident response handling, since memory forensic techniques are quite effective in uncovering artifacts that might be missed by traditional storage forensics or live analysis techniques. Because of the crucial role that memory forensics plays in investigations and...
The present study provides initial data on self-reported secure and insecure cyber behaviour using the iSECURE. A theoretical model for item pool development, distributions and convergent associations is presented. Data on the distribution of self-report of secure and insecure cyber behaviour is presented as well as data on factor structure of scor...
Traditionally, digital forensics focused on artifacts located on the storage devices of computer systems, mobile phones, digital cameras, and other electronic devices. In the past decade, however, researchers have created a number of powerful memory forensics tools that expand the scope of digital forensics to include the examination of volatile me...
This paper presents the first analysis of the new hibernation file format that is used in Windows versions 8, 8.1, and 10. We also discuss several changes in the hibernation and shutdown behavior of Windows that will have a direct impact on digital forensic practitioners who use hibernation files as sources of evidence.
Major advances in memory forensics in the past decade now allow investigators to efficiently detect and analyze many types of sophisticated kernel-level malware. With operating systems vendors now routinely enforcing driver signing and integrating strategies for protecting kernel data, such as Patch Guard, userland attacks are becoming more attract...
Android applications access native SQLite databases through their Universal Resource Identifiers (URIs), exposed by the Content provider library. By design, the SQLite engine used in the Android system does not enforce access restrictions on database content nor does it log database accesses. Instead, Android enforces read and write permissions on...
The growing threat to user privacy related to Android applications (apps) has tremendously increased the need for more reliable and accessible app analysis systems. This paper presents AspectDroid, an application-level system designed to investigate Android applications for possible unwanted activities. AspectDroid is comprised of app instrumentati...
End users are prone to insecure cyber behavior that may lead them to compromise the integrity, availability or confidentiality of their computer systems. For instance, replying to a phishing email may compromise an end user's login credentials. Identifying tendency toward insecure cyber behavior is critically important to improve cyber security pos...
Pool tag scanning is a process commonly used in memory analysis in order to locate kernel object allocations, enabling investigators to discover evidence of artifacts that may have been freed or otherwise maliciously hidden from the operating system. The fastest current scanning techniques require an exhaustive search of physical memory, a process...
Android malware are often created by injecting malicious payloads into benign applications. They employ code and string obfuscation techniques to hide their presence from antivirus scanners. Recent studies have shown that common antivirus software and static analysis tools are not resilient to such obfuscation techniques. To address this problem, w...
Abstract In the last few years there has been a sharp increase in the use of Mac OS X systems in professional settings. This has led to increased activity in the development of malware and attack toolkits focused specifically on OS X systems, and unfortunately, these increasingly powerful offensive capabilities have not (yet) resulted in better def...
Abstract We present a new approach to digital forensic evidence acquisition and disk imaging called sifting collectors that images only those regions of a disk with expected forensic value. Sifting collectors produce a sector-by-sector, bit-identical AFF v3 image of selected disk regions that can be mounted and is fully compatible with existing for...
With the introduction of kernel integrity checking mechanisms in modern operating systems, such as PatchGuard on Windows OS, malware developers can no longer easily install stealthy hooks in kernel code and well-known data structures. Instead, they must target other areas of the kernel, such as the heap, which stores a large number of function poin...
The forensics community is increasingly embracing the use of memory analysis to enhance traditional storage-based forensics techniques, because memory analysis yields a wealth of information not available on non-volatile storage. Memory analysis involves capture of a system's physical memory so that the live state of a system can be investigated, i...
An interrupt descriptor table (IDT) is used by a processor to transfer the execution of a program to software routines that handle interrupts raised during the normal course of operation or to signal an exceptional condition such as a hardware failure. Attackers frequently modify IDT pointers to execute malicious code. This paper describes the IDTc...
Digital forensics comprises the set of techniques to recover, preserve, and examine digital evidence, and has applications in a number of important areas, including investigation of child exploitation, identity theft, counter-terrorism, and intellectual property disputes. Digital forensics tools must exhaustively examine and interpret data at a low...
When security incidents occur, several challenges exist for conducting an effective forensic investigation of SCADA systems, which run 24/7 to control and monitor industrial and infrastructure processes
Kernel modules are an integral part of most operating systems (OS) as they provide flexible ways of adding new functionalities (such as file system or hardware support) to the kernel without the need to recompile or reload the entire kernel. Aside from providing an interface between the user and the hardware, these modules maintain system security...
The Android operating system for mobile phones, which is still relatively new, is rapidly gaining market share, with dozens of smartphones and tablets either released or set to be released. In this paper, we present the first methodology and toolset for acquisition and deep analysis of volatile physical memory from Android devices. The paper discus...
The role of live forensics in digital forensic investigations has become vital due to the importance of volatile data such as encryption keys, network activity, currently running processes, in memory only malware, and other key pieces of data that are lost when a device is powered down. While the technology to perform the first steps of a live inve...
While short training courses in reverse engineering are frequently offered at meetings like Blackhat and through training organizations such as SANS, there are virtually no reverse engineering courses offered in aca-demia. This paper discusses possible reasons for this situation, emphasizes the importance of teaching re-verse engineering (and appli...
The timely processing of massive digital forensic collections demands the use of large-scale distributed computing resources and the flexibility to customize the processing performed on the collections. This paper describes MPI MapReduce (MMR), an open implementation of the MapReduce processing model that outperforms traditional forensic computing...
Service discovery is a widely researched topic in wireless networks. Existing protocols have significant overhead for service advertisement as well as service discovery, with many messages being transmitted in the network. This high overhead is not practical in resource-constrained wireless environments. We propose a simple service discovery protoc...
Digital forensics comprises the set of techniques to recover, preserve, and examine digital evidence and has applications in a number of important areas, including investigation of child exploitation , identity theft, counter-terrorism, and intellectual property disputes. Digital forensics tools must exhaustively examine and interpret data at a low...
Digital forensic tools are being developed at a brisk pace in response to the ever increasing variety of forensic targets. Most tools are created for specific tasks – filesystem analysis, memory analysis, network analysis, etc. – and make little effort to interoperate with one another. This makes it difficult and extremely time-consuming for an inv...
This paper introduces class-aware similarity hashes or classprints, which are an outgrowth of recent work on similarity hashing. The approach builds on the notion of context-based hashing to create a framework for identifying data types based on content and for building characteristic similarity hashes for individual data items that can be used for...
Large-scale digital forensic investigations present at least two fundamental challenges. The first one is accommodating the computational needs of a large amount of data to be processed. The second one is extracting useful information from the raw data in an automated fashion. Both of these problems could result in long processing times that can se...
The current generation of Graphics Processing Units (GPUs) contains a large number of general purpose processors, in sharp contrast to previous generation designs, where special-purpose hardware units (such as texture and vertex shaders) were commonly used. This fact, combined with the prevalence of multicore general purpose CPUs in modern workstat...
Current digital forensics methods capture, preserve, and analyze digital evidence in general-purpose electronic containers (typically, plain files) with no dedicated support to help establish that the evidence has been properly handled. Auditing of a digital investigation, from identification and seizure of evidence through duplication and investig...
File carving is the process of recovering files from an investigative target, potentially without knowledge of the filesystem structure. Current generation file carvers make complete copies of recovered files. Unfortunately, they often produce a large number of false positives — “junk” files with invalid formats that frequently consume large amount...
Filesystem investigation md5bloom a b s t r a c t Hashing is a fundamental tool in digital forensic analysis used both to ensure data integrity and to efficiently identify known data objects. However, despite many years of practice, its basic use has advanced little. Our objective is to leverage advanced hashing techniques in order to improve the e...
For current generation of PDA and smart phone devices, wireless capabilities are practically a standard feature. Consequently, they should be able to support users in their spontaneous daily interactions. Yet, the original host-centric model of data synchronization is still entrenched, thereby depriving users of adequate support for ad-hoc collabor...
In this paper, we propose several methods to increase the diculty of reverse engineering applications, with special emphasis on preventing the circumvention of copy protec- tion mechanisms that permit only authorized users to ex- ecute the applications. We apply the hashing function to transform some constants in the software and recover them durin...
The shortcomings of the current generation of digital forensic tools and suggestions to overcome them are discussed. A major problem when investigating large targets is how to capture the essential data during acquisition when working copies of potential evidence sources are created. Smarter acquisition can reduce the amount of data that must be ex...
Digital Evidence Bags (DEBs) are a mechanism for bundling digital
evidence, associated metadata and audit logs into a single structure.
DEB-compliant applications can update a DEB's audit log as evidence is
introduced into the bag and as data in the bag is processed. This paper
investigates native file system support for DEBs, which has a number of...
Recent work on distributed RAM sharing has largely focused on leveraging low-latency networking technolo- gies to optimize remote memory access. In contrast, we revisit the idea of RAM sharing on a commodity cluster with an emphasis on the prevalent Gigabit Ethernet tech- nology. The main point of the paper is to present a practi- cal solution—a di...
Presents the welcome message from the conference proceedings.
Digital forensics investigators have access to a wide variety of tools, both commercial and open source, which assist in the preservation and analysis of digital evidence. Unfortunately, most current digital forensics tools fall short in several ways. First, they are unable to cope with the ever-increasing storage capacity of target devices. As cap...
In this paper an enhanced reliability protocol added to the ODMRP multicast ad hoc protocol is described. This protocol increases the overall data packet delivery ratio by adding packet storage and retransmission operations coordinated by the multicast source. Storage responsibilities are assigned based on localized 'neighborhoods' of nodes with mi...
Digital forensic investigators are often faced with the task of manually examining a large number of (photographic) images in order to identify potential evidence. The task can be especially daunting and time-consuming if the target of the investigation is very broad, such as a web hosting service. Current forensic tools are woefully inadequate in...
Wireless networks, specifically IEEE 802.11, areinexpensive and easy to deploy, but their signals canbe detected by eavesdroppers at great distances. Evenwith existing and new security measures, wirelessnetworks have a higher risk than wired nets. WIDS,Wireless Intrusion Detection System, provides anadditional layer of security by combining intrusi...
In this paper an enhanced reliability protocol, R-ODMRP, added to the ODMRP multicast ad hoc protocol is described. This NACK based protocol increases overall data packet delivery by adding data storage and retransmission operations coordinated by the multicast source. Storage responsibilities are assigned to individual nodes based on localized 'ne...
The need for computer forensics educa- tion continues to grow, as digital evidence is present in more crimes, whether the crimes directly involve computers or not. An es- sential component of training in computer forensics is hands-on, realistic laboratory assignments. Creating detailed, realistic lab assignments, however, is a difficult task. The...
File carving is an important technique for digital forensics investigation and for simple data recovery. By using a database of headers and footers (essentially, strings of bytes at pre- dictable offsets) for specific file types, file carv- ers can retrieve files from raw disk images, re- gardless of the type of filesystem on the disk image. Perhap...
Wireless networks, specifically IEEE 802.11, are inexpensive and easy to deploy, but their signals can be detected by eavesdroppers at great distances. Even with existing and new security measures, wireless networks have a higher risk than wired nets. WIDS, wireless intrusion detection system, provides an additional layer of security by combining i...
Routing protocols for ad hoc wireless networks consider the path with the minimum number of hops as the optimal path to any given destination. However, this strategy does not balance the traffic load over the network, and may create congested areas. These congested areas greatly degrade the performance of the routing protocols. In this paper, we pr...
Traditional digital forensics methods are based on the in-depth examination of computer systems in a lab setting. Such methods are standard practice in acquiring digital evidence and are indispensable as an investigative approach. However, they are also relatively heavyweight and expensive and require signifi- cant expertise on part of the investig...
In this paper, we introduce the Virtual Paths Routing (VPR) Protocol for ad hoc wireless networks. VPR provides highly dynamic, correct, and efficient paths creation and maintenance between nodes. Innovatively, the protocol utilizes a technique to monitor the mobility of the nodes, and factorizes it in its operations. VPR is a distributed, on-deman...
As group applications have become more prevalent, efficient network utilization becomes a growing concern. Multicast transmission may use network bandwidth more efficiently than multiple point-to-point messages, however, creating optimal multicast trees is prohibitively expensive. For this reason, heuristic methods are generally employed. These heu...
In this paper an enhancement to the reliability of the ODMRP multicast ad hoc protocol is described. The enhancement attempts to increase the overall data packet delivery ratio by adding packet storage and retransmit operations coordinated by the multicast source.
TCP/IP header compression has long been used to send information
efficiently and to improve the response time of communication systems.
It is also well known that errors on the link where header compression
is used can deteriorate the performance. In addition, the previously
noticed high frequency of some computer networking problems can make the
p...
To allow a seamless integration between wireless LANs and Wireless WANs, we developed a full stack adaptation model and a simple subnet architecture that superimposes Mobile-IP on cellular-type wireless LANs. The idea is to use Mobile IP as an integrative layer atop different LAN/WAN networks. While Mobile-IP is widely used in wireless WANs, it is...
Service advertisement and discovery technologies enable device
cooperation and reduce configuration hassles, a necessity in
increasingly mobile computing environments. This article surveys five
competing but similar “service discovery suites” and looks
at efforts to bridge the technologies. Although most of these service
discovery suites promise si...
: We describe a prototype that provides distributed, threedimensional, interactive virtual worlds, which are enhanced with reliable communication and recording of real time events throughout the system. These events correspond to personnel movements in the real world, which are captured from GPS transmissions and are reflected by the movement of 3D...
Julep is an object-oriented testbed designed for implementation
and analysis of process recovery protocols. It is written in Java, and
runs as a layer underneath a Java-based distributed application. Only
minor modifications to a typical distributed application are necessary
to use Julep as a communication mechanism. Julep is designed to allow
new...
Julep is an object-oriented testbed designed for analysis and comparison of temporal diversity fault tolerance mechanisms. It is written in Java, and runs as a layer underneath a distributed application. Julep can run on any standard COTS platform with a JVM, in homogeneous or heterogeneous environments. Julep is designed to quickly and easily inco...