Golden G. Richard III

Golden G. Richard III
Louisiana State University | LSU · Department of Computer Science (Engineering)

Ph.D.

About

97
Publications
65,738
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
2,217
Citations
Introduction
Golden G. Richard III is a cybersecurity researcher and teacher and a Fellow of the American Academy of Forensic Sciences. He has over 35 years of practical experience in computer systems and computer security and is a devoted advocate for applied cybersecurity education. He holds a TS/SCI security clearance and supports NSA's CAE-CO internship program, teaching memory forensics, vulnerability analysis, and other topics to cleared interns. His primary research interests are memory forensics, digital forensics, malware analysis, reverse engineering, and operating systems.
Additional affiliations
January 2017 - present
LSU
Position
  • Professor (Full)
Description
  • Digital forensics, malware analysis, reverse engineering, memory forensics operating systems
August 1994 - December 2016
University of New Orleans
Position
  • Professor (Full)
Description
  • Digital forensics, malware analysis, reverse engineering, memory forensics operating systems
Education
August 1988 - December 1994
The Ohio State University
Field of study
  • Computer Science

Publications

Publications (97)
Article
Memory analysis is a digital forensics technique whose goal is to model a computer system's state based solely on the analysis of a snapshot of physical memory (RAM). Memory forensics is frequently employed in incident response to detect and analyze modern malware and attack frameworks. Memory forensics is a particularly powerful tool for analyzing...
Article
Full-text available
Memory Forensics is one of the most important emerging areas in computer forensics. In memory forensics, analysis of userland memory is a technique that analyses per-process runtime data structures and extracts significant evidence for application-specific investigations. In this research, our focus is to examine the critical challenges faced by pr...
Poster
Full-text available
This poster details the macOS Userland Runtime analysis using the Objective-C and Swift data structures. It documents our efforts to create memory forensic tools to investigate the macOS runtime.
Article
The performance of partially synchronous BFT-based consensus protocols is highly dependent on the primary node. All participant nodes in the network are blocked until they receive a proposal from the primary node to begin the consensus process. Therefore, an honest but slack node (with limited bandwidth) can adversely affect the performance when se...
Article
The continued rise of Apple's macOS in both the home and workplace has led to a significant rise in the capabilities of both malware and attacker toolkits that target the operating system and its users. Over the last several years there have been numerous documented instances of macOS users being targeted by governments, intelligence agencies, and...
Article
The value of memory analysis during digital forensics, incident response, and malware investigations has been realized for over a decade. The power of memory forensics is based on the fact that volatile memory contains a substantial number of artifacts that are simply never recorded to disk or sent across the network in plaintext form. Orderly reco...
Article
Advances in malware development have led to the widespread use of attacker toolkits that do not leave any trace in the local filesystem. This negatively impacts traditional investigative procedures that rely on filesystem analysis to reconstruct attacker activities. As a solution, memory forensics has replaced filesystem analysis in these scenarios...
Article
The fields of digital forensics and incident response have seen significant growth over the last decade due to the increasing threats faced by organizations and the continued reliance on digital platforms and devices by criminals. This rise has coincided with a significant and continued increase in the size, complexity, and number of digital forens...
Article
Full-text available
Memory forensics is the examination of volatile memory (RAM) for artifacts related to a digital investigation. Memory forensics has become mainstream in recent years because it allows recovery of a wide variety of artifacts that are never written to the file system and are therefore not available when performing traditional filesystem forensics. To...
Chapter
Over the past few decades, rapid changes in technology have driven a significant increase in the amount and types of data stored on and processed by digital devices. Digital devices may be used in the commission of numerous criminal activities, including unauthorized data exfiltration, fraud, employee misconduct, kidnapping, child pornography, murd...
Article
Full-text available
The use of memory forensics is becoming commonplace in digital investigation and incident response, as it provides critically important capabilities for detecting sophisticated malware attacks, including memory-only malware components. In this paper, we concentrate on improving analysis of API hooks, a technique commonly employed by malware to hija...
Chapter
Byzantine Fault Tolerant (BFT) protocols have been used in blockchains due to their high performance and fast block acceptance. However, their weakness is a lack of scalability to support a large number of nodes in the network due to message demanding broadcasts. There have been recent improvements to the classic Practical Byzantine Fault Tolerant...
Preprint
Byzantine Fault Tolerant (BFT) consensus exhibits higher throughput in comparison to Proof of Work (PoW) in blockchains. But BFT-based protocols suffer from scalability problems with respect to the number of replicas in the network. The main reason for this limitation is the quadratic message complexity of BFT protocols. Previously, proposed soluti...
Article
Full-text available
Interest in the individual differences underlying end user computer security behavior has led to the development of a multidisciplinary field of research known as behavioral information security. An important gap in knowledge and the motivation for this research is the development of ways to measure secure and insecure cyber behavior for research a...
Article
Full-text available
The Windows Subsystem for Linux (WSL) was first included in the Anniversary Update of Microsoft's Windows 10 operating system and supports execution of native Linux applications within the host operating system. This integrated support of Linux executables in a Windows environment presents challenges to existing memory forensics frameworks, such as...
Article
The growing threat to user privacy by Android applications (app) has tremendously increased the need for more reliable and accessible analysis techniques. This paper presents AspectDroid¹ —an offline app-level hybrid analysis system designed to investigate Android applications for possible unwanted activities. It leverages static bytecode instrumen...
Article
Full-text available
Memory forensics is now a standard component of digital forensic investigations and incident response handling, since memory forensic techniques are quite effective in uncovering artifacts that might be missed by traditional storage forensics or live analysis techniques. Because of the crucial role that memory forensics plays in investigations and...
Article
Full-text available
The present study provides initial data on self-reported secure and insecure cyber behaviour using the iSECURE. A theoretical model for item pool development, distributions and convergent associations is presented. Data on the distribution of self-report of secure and insecure cyber behaviour is presented as well as data on factor structure of scor...
Article
Traditionally, digital forensics focused on artifacts located on the storage devices of computer systems, mobile phones, digital cameras, and other electronic devices. In the past decade, however, researchers have created a number of powerful memory forensics tools that expand the scope of digital forensics to include the examination of volatile me...
Article
This paper presents the first analysis of the new hibernation file format that is used in Windows versions 8, 8.1, and 10. We also discuss several changes in the hibernation and shutdown behavior of Windows that will have a direct impact on digital forensic practitioners who use hibernation files as sources of evidence.
Article
Full-text available
Major advances in memory forensics in the past decade now allow investigators to efficiently detect and analyze many types of sophisticated kernel-level malware. With operating systems vendors now routinely enforcing driver signing and integrating strategies for protecting kernel data, such as Patch Guard, userland attacks are becoming more attract...
Conference Paper
Full-text available
Android applications access native SQLite databases through their Universal Resource Identifiers (URIs), exposed by the Content provider library. By design, the SQLite engine used in the Android system does not enforce access restrictions on database content nor does it log database accesses. Instead, Android enforces read and write permissions on...
Poster
Full-text available
The growing threat to user privacy related to Android applications (apps) has tremendously increased the need for more reliable and accessible app analysis systems. This paper presents AspectDroid, an application-level system designed to investigate Android applications for possible unwanted activities. AspectDroid is comprised of app instrumentati...
Conference Paper
Full-text available
End users are prone to insecure cyber behavior that may lead them to compromise the integrity, availability or confidentiality of their computer systems. For instance, replying to a phishing email may compromise an end user's login credentials. Identifying tendency toward insecure cyber behavior is critically important to improve cyber security pos...
Article
Full-text available
Pool tag scanning is a process commonly used in memory analysis in order to locate kernel object allocations, enabling investigators to discover evidence of artifacts that may have been freed or otherwise maliciously hidden from the operating system. The fastest current scanning techniques require an exhaustive search of physical memory, a process...
Conference Paper
Full-text available
Android malware are often created by injecting malicious payloads into benign applications. They employ code and string obfuscation techniques to hide their presence from antivirus scanners. Recent studies have shown that common antivirus software and static analysis tools are not resilient to such obfuscation techniques. To address this problem, w...
Article
Full-text available
Abstract In the last few years there has been a sharp increase in the use of Mac OS X systems in professional settings. This has led to increased activity in the development of malware and attack toolkits focused specifically on OS X systems, and unfortunately, these increasingly powerful offensive capabilities have not (yet) resulted in better def...
Article
Full-text available
Abstract We present a new approach to digital forensic evidence acquisition and disk imaging called sifting collectors that images only those regions of a disk with expected forensic value. Sifting collectors produce a sector-by-sector, bit-identical AFF v3 image of selected disk regions that can be mounted and is fully compatible with existing for...
Chapter
Full-text available
With the introduction of kernel integrity checking mechanisms in modern operating systems, such as PatchGuard on Windows OS, malware developers can no longer easily install stealthy hooks in kernel code and well-known data structures. Instead, they must target other areas of the kernel, such as the heap, which stores a large number of function poin...
Article
Full-text available
The forensics community is increasingly embracing the use of memory analysis to enhance traditional storage-based forensics techniques, because memory analysis yields a wealth of information not available on non-volatile storage. Memory analysis involves capture of a system's physical memory so that the live state of a system can be investigated, i...
Conference Paper
Full-text available
An interrupt descriptor table (IDT) is used by a processor to transfer the execution of a program to software routines that handle interrupts raised during the normal course of operation or to signal an exceptional condition such as a hardware failure. Attackers frequently modify IDT pointers to execute malicious code. This paper describes the IDTc...
Chapter
Digital forensics comprises the set of techniques to recover, preserve, and examine digital evidence, and has applications in a number of important areas, including investigation of child exploitation, identity theft, counter-terrorism, and intellectual property disputes. Digital forensics tools must exhaustively examine and interpret data at a low...
Article
Full-text available
When security incidents occur, several challenges exist for conducting an effective forensic investigation of SCADA systems, which run 24/7 to control and monitor industrial and infrastructure processes
Conference Paper
Full-text available
Kernel modules are an integral part of most operating systems (OS) as they provide flexible ways of adding new functionalities (such as file system or hardware support) to the kernel without the need to recompile or reload the entire kernel. Aside from providing an interface between the user and the hardware, these modules maintain system security...
Article
Full-text available
The Android operating system for mobile phones, which is still relatively new, is rapidly gaining market share, with dozens of smartphones and tablets either released or set to be released. In this paper, we present the first methodology and toolset for acquisition and deep analysis of volatile physical memory from Android devices. The paper discus...
Article
Full-text available
The role of live forensics in digital forensic investigations has become vital due to the importance of volatile data such as encryption keys, network activity, currently running processes, in memory only malware, and other key pieces of data that are lost when a device is powered down. While the technology to perform the first steps of a live inve...
Article
Full-text available
While short training courses in reverse engineering are frequently offered at meetings like Blackhat and through training organizations such as SANS, there are virtually no reverse engineering courses offered in aca-demia. This paper discusses possible reasons for this situation, emphasizes the importance of teaching re-verse engineering (and appli...
Conference Paper
Full-text available
The timely processing of massive digital forensic collections demands the use of large-scale distributed computing resources and the flexibility to customize the processing performed on the collections. This paper describes MPI MapReduce (MMR), an open implementation of the MapReduce processing model that outperforms traditional forensic computing...
Conference Paper
Full-text available
Service discovery is a widely researched topic in wireless networks. Existing protocols have significant overhead for service advertisement as well as service discovery, with many messages being transmitted in the network. This high overhead is not practical in resource-constrained wireless environments. We propose a simple service discovery protoc...
Article
Full-text available
Digital forensics comprises the set of techniques to recover, preserve, and examine digital evidence and has applications in a number of important areas, including investigation of child exploitation , identity theft, counter-terrorism, and intellectual property disputes. Digital forensics tools must exhaustively examine and interpret data at a low...
Article
Full-text available
Digital forensic tools are being developed at a brisk pace in response to the ever increasing variety of forensic targets. Most tools are created for specific tasks – filesystem analysis, memory analysis, network analysis, etc. – and make little effort to interoperate with one another. This makes it difficult and extremely time-consuming for an inv...
Conference Paper
Full-text available
This paper introduces class-aware similarity hashes or classprints, which are an outgrowth of recent work on similarity hashing. The approach builds on the notion of context-based hashing to create a framework for identifying data types based on content and for building characteristic similarity hashes for individual data items that can be used for...
Article
Full-text available
Large-scale digital forensic investigations present at least two fundamental challenges. The first one is accommodating the computational needs of a large amount of data to be processed. The second one is extracting useful information from the raw data in an automated fashion. Both of these problems could result in long processing times that can se...
Article
Full-text available
The current generation of Graphics Processing Units (GPUs) contains a large number of general purpose processors, in sharp contrast to previous generation designs, where special-purpose hardware units (such as texture and vertex shaders) were commonly used. This fact, combined with the prevalence of multicore general purpose CPUs in modern workstat...
Article
Full-text available
Current digital forensics methods capture, preserve, and analyze digital evidence in general-purpose electronic containers (typically, plain files) with no dedicated support to help establish that the evidence has been properly handled. Auditing of a digital investigation, from identification and seizure of evidence through duplication and investig...
Conference Paper
Full-text available
File carving is the process of recovering files from an investigative target, potentially without knowledge of the filesystem structure. Current generation file carvers make complete copies of recovered files. Unfortunately, they often produce a large number of false positives — “junk” files with invalid formats that frequently consume large amount...
Article
Full-text available
Filesystem investigation md5bloom a b s t r a c t Hashing is a fundamental tool in digital forensic analysis used both to ensure data integrity and to efficiently identify known data objects. However, despite many years of practice, its basic use has advanced little. Our objective is to leverage advanced hashing techniques in order to improve the e...
Conference Paper
Full-text available
For current generation of PDA and smart phone devices, wireless capabilities are practically a standard feature. Consequently, they should be able to support users in their spontaneous daily interactions. Yet, the original host-centric model of data synchronization is still entrenched, thereby depriving users of adequate support for ad-hoc collabor...
Conference Paper
Full-text available
In this paper, we propose several methods to increase the diculty of reverse engineering applications, with special emphasis on preventing the circumvention of copy protec- tion mechanisms that permit only authorized users to ex- ecute the applications. We apply the hashing function to transform some constants in the software and recover them durin...
Article
Full-text available
The shortcomings of the current generation of digital forensic tools and suggestions to overcome them are discussed. A major problem when investigating large targets is how to capture the essential data during acquisition when working copies of potential evidence sources are created. Smarter acquisition can reduce the amount of data that must be ex...
Conference Paper
Full-text available
Digital Evidence Bags (DEBs) are a mechanism for bundling digital evidence, associated metadata and audit logs into a single structure. DEB-compliant applications can update a DEB's audit log as evidence is introduced into the bag and as data in the bag is processed. This paper investigates native file system support for DEBs, which has a number of...
Conference Paper
Full-text available
Recent work on distributed RAM sharing has largely focused on leveraging low-latency networking technolo- gies to optimize remote memory access. In contrast, we revisit the idea of RAM sharing on a commodity cluster with an emphasis on the prevalent Gigabit Ethernet tech- nology. The main point of the paper is to present a practi- cal solution—a di...
Conference Paper
Presents the welcome message from the conference proceedings.
Article
Full-text available
Digital forensics investigators have access to a wide variety of tools, both commercial and open source, which assist in the preservation and analysis of digital evidence. Unfortunately, most current digital forensics tools fall short in several ways. First, they are unable to cope with the ever-increasing storage capacity of target devices. As cap...
Conference Paper
In this paper an enhanced reliability protocol added to the ODMRP multicast ad hoc protocol is described. This protocol increases the overall data packet delivery ratio by adding packet storage and retransmission operations coordinated by the multicast source. Storage responsibilities are assigned based on localized 'neighborhoods' of nodes with mi...
Conference Paper
Full-text available
Digital forensic investigators are often faced with the task of manually examining a large number of (photographic) images in order to identify potential evidence. The task can be especially daunting and time-consuming if the target of the investigation is very broad, such as a web hosting service. Current forensic tools are woefully inadequate in...
Article
Wireless networks, specifically IEEE 802.11, areinexpensive and easy to deploy, but their signals canbe detected by eavesdroppers at great distances. Evenwith existing and new security measures, wirelessnetworks have a higher risk than wired nets. WIDS,Wireless Intrusion Detection System, provides anadditional layer of security by combining intrusi...
Conference Paper
In this paper an enhanced reliability protocol, R-ODMRP, added to the ODMRP multicast ad hoc protocol is described. This NACK based protocol increases overall data packet delivery by adding data storage and retransmission operations coordinated by the multicast source. Storage responsibilities are assigned to individual nodes based on localized 'ne...
Conference Paper
The need for computer forensics educa- tion continues to grow, as digital evidence is present in more crimes, whether the crimes directly involve computers or not. An es- sential component of training in computer forensics is hands-on, realistic laboratory assignments. Creating detailed, realistic lab assignments, however, is a difficult task. The...
Conference Paper
Full-text available
File carving is an important technique for digital forensics investigation and for simple data recovery. By using a database of headers and footers (essentially, strings of bytes at pre- dictable offsets) for specific file types, file carv- ers can retrieve files from raw disk images, re- gardless of the type of filesystem on the disk image. Perhap...
Conference Paper
Wireless networks, specifically IEEE 802.11, are inexpensive and easy to deploy, but their signals can be detected by eavesdroppers at great distances. Even with existing and new security measures, wireless networks have a higher risk than wired nets. WIDS, wireless intrusion detection system, provides an additional layer of security by combining i...
Conference Paper
Full-text available
Routing protocols for ad hoc wireless networks consider the path with the minimum number of hops as the optimal path to any given destination. However, this strategy does not balance the traffic load over the network, and may create congested areas. These congested areas greatly degrade the performance of the routing protocols. In this paper, we pr...
Article
Full-text available
Traditional digital forensics methods are based on the in-depth examination of computer systems in a lab setting. Such methods are standard practice in acquiring digital evidence and are indispensable as an investigative approach. However, they are also relatively heavyweight and expensive and require signifi- cant expertise on part of the investig...
Conference Paper
Full-text available
In this paper, we introduce the Virtual Paths Routing (VPR) Protocol for ad hoc wireless networks. VPR provides highly dynamic, correct, and efficient paths creation and maintenance between nodes. Innovatively, the protocol utilizes a technique to monitor the mobility of the nodes, and factorizes it in its operations. VPR is a distributed, on-deman...
Article
As group applications have become more prevalent, efficient network utilization becomes a growing concern. Multicast transmission may use network bandwidth more efficiently than multiple point-to-point messages, however, creating optimal multicast trees is prohibitively expensive. For this reason, heuristic methods are generally employed. These heu...
Article
In this paper an enhancement to the reliability of the ODMRP multicast ad hoc protocol is described. The enhancement attempts to increase the overall data packet delivery ratio by adding packet storage and retransmit operations coordinated by the multicast source.
Conference Paper
Full-text available
TCP/IP header compression has long been used to send information efficiently and to improve the response time of communication systems. It is also well known that errors on the link where header compression is used can deteriorate the performance. In addition, the previously noticed high frequency of some computer networking problems can make the p...
Article
To allow a seamless integration between wireless LANs and Wireless WANs, we developed a full stack adaptation model and a simple subnet architecture that superimposes Mobile-IP on cellular-type wireless LANs. The idea is to use Mobile IP as an integrative layer atop different LAN/WAN networks. While Mobile-IP is widely used in wireless WANs, it is...
Article
Service advertisement and discovery technologies enable device cooperation and reduce configuration hassles, a necessity in increasingly mobile computing environments. This article surveys five competing but similar “service discovery suites” and looks at efforts to bridge the technologies. Although most of these service discovery suites promise si...
Article
: We describe a prototype that provides distributed, threedimensional, interactive virtual worlds, which are enhanced with reliable communication and recording of real time events throughout the system. These events correspond to personnel movements in the real world, which are captured from GPS transmissions and are reflected by the movement of 3D...
Conference Paper
Julep is an object-oriented testbed designed for implementation and analysis of process recovery protocols. It is written in Java, and runs as a layer underneath a Java-based distributed application. Only minor modifications to a typical distributed application are necessary to use Julep as a communication mechanism. Julep is designed to allow new...
Article
Julep is an object-oriented testbed designed for analysis and comparison of temporal diversity fault tolerance mechanisms. It is written in Java, and runs as a layer underneath a distributed application. Julep can run on any standard COTS platform with a JVM, in homogeneous or heterogeneous environments. Julep is designed to quickly and easily inco...