Nathan Lewis’s research while affiliated with Louisiana State University and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (2)


Fig. 1. A comparison of Drawbridge's process types. Each of the components associated with NT processes are left out of minimal and pico processes (Hammons, 2016a).
Fig. 2. Communication between components of WSL (Hammons, 2016b).
Fig. 4. Output of picolist plugin.
Fig. 5. Output of dlllist compared to output of the new picosolist plugin.
Memory forensics and the Windows Subsystem for Linux
  • Article
  • Full-text available

July 2018

·

1,429 Reads

·

17 Citations

Digital Investigation

Nathan Lewis

·

·

·

The Windows Subsystem for Linux (WSL) was first included in the Anniversary Update of Microsoft's Windows 10 operating system and supports execution of native Linux applications within the host operating system. This integrated support of Linux executables in a Windows environment presents challenges to existing memory forensics frameworks, such as Volatility, that are designed to only support one operating system type per analysis task (e.g., execution of a single framework plugin). WSL breaks this analysis model as Linux forensic artifacts, such as ELF executables, are active in a sample of physical memory from a system running Windows. Furthermore, WSL integrates Linux-specific data structures into existing Windows data structures, such as those used to track per-process metadata as well as userland runtime data. This integration results in existing analysis plugins producing inconsistent results when analyzing native Windows processes compared to WSL processes. Further complicating this situation is the fact that much of the WSL subsystem internals are completely undocumented. To remedy the current deficiencies related to WSL analysis, a research effort was undertaken to understand which existing Volatility plugins are affected by the introduction of WSL as well as what updates are necessary to fully support memory forensics of WSL. This paper describes these efforts, including our study of the operating systems data structures relevant to WSL as well as the development of new Volatility analysis plugins.

Download

Figure 2: BIC LSU SDN Maximal Matching scheduling.
Figure 5: Write performance of the RAID 0 on the cache storage server. 2 through 8 unbuffered parallel writes achieve the maximum throughput of 42.4Gb/s.
BIC-LSU: Big Data Research Integration with Cyberinfrastructure for LSU

July 2016

·

268 Reads

·

2 Citations

·

Nathan Lewis

·

·

[...]

·

In recent years, big data analysis has been widely applied to many research fields including biology, physics, transportation, and material science. Even though the demands for big data migration and big data analysis are dramatically increasing in campus IT infrastructures, there are several technical challenges that need to be addressed. First of all, frequent big data transmission between storage systems in different research groups imposes heavy burdens on regular campus network. Second, the current campus IT infrastructure is not designed to fully utilize the hardware capacity for big data migration and analysis. Last but not the least, running big data applications on top of large-scale high-performance computing facilities is not straightforward, especially for researchers and engineers in non-IT disciplines. We develop a campus IT infrastructure for big data migration and analysis, called BIC-LSU, which consists of a task-aware Clos OpenFlow network, high-performance cache storage servers, customized high-performance transfer applications, a light-weight control framework to manipulate existing big data storage systems and job scheduling systems, and a comprehensive social networking-enabled web portal. BIC-LSU achieves 40Gb/s disk-to-disk big data transmission, maintains short average transmission task completion time, enables the convergence of control on commonly deployed storage and job scheduling systems, and enhances easiness of big data analysis with a universal user-friendly interface. BIC-LSU software requires minimum dependencies and has high extensibility. Other research institutes can easily customize and deploy BIC-LSU as an augmented service on their existing IT infrastructures.

Citations (2)


... Various data such as user passwords, images, documents, installed programs, and web addresses that have been visited can be acquired from the RAM by a RAM image analysis [3][4][5][6][7]. String searching, signature scanning, file carving, and data structure analysis methods are used to recover data from the RAM image. ...

Reference:

Analysing and Carving MS Word and PDF Files from RAM Images on Windows
Memory forensics and the Windows Subsystem for Linux

Digital Investigation

... 3.2) Synchronizing flows in the coflow information to the coflow scheduler using 1 egress UDP segment. An example integrated transfer application is the customized BBCP of the BIC-LSU big data storage area network [2]. ...

BIC-LSU: Big Data Research Integration with Cyberinfrastructure for LSU