Sherlock Holmes, Hercule Poirot, Miss Marple and Dick Tracey. All famous detectives dedicated to gathering evidence to put criminals behind bars. Add to that list an unlikely engineering professor – Brendan Saltaformaggio, School of Electrical and Computer Engineering at Georgia Tech. Saltaformaggio helps solve real human crimes through cyber forensics, the application of investigation and analysis techniques to gather and preserve evidence from a computing device that can be presented in a court of law.
“My research has large scale crime solving implications,” said Saltaformaggio. “My goal is to figure out how we can collect as much evidence as possible from any device involved in the crime to help put away the criminal.”
Solving crimes through cyber forensics
Since arriving at Tech, Saltaformaggio has been hard at work to create forensic techniques that help investigators solve human crimes. Saltaformaggio’s research occurs in his Cyber Forensics Innovation (CyFI) Lab, where the mission is to further the investigation of advanced cyber crimes and the analysis and prevention of next-generation malware attacks, particularly in mobile and IoT environments.
“While my lab focuses on malware and cyber attacks, we also assist with human crimes,” said Saltaformaggio. “If someone robs a bank and drops their phone at the scene of the crime, we can mine that digital device for evidence that will help prosecute the case.”
Saltaformaggio doesn’t work directly with law enforcement, but he does facilitate tech transfer of information, meaning that once a cyber forensic technique is published by his lab, an agency can leverage it to help solve a case. Saltagormaggio and his team then provide the code, test cases and infrastructure for law enforcement to use for criminal investigations.
Saltaformaggio recently developed a cyber forensic technique called RetroScope to access encrypted information on a device, even if the user has locked their accounts. The technique leverages memory forensics, the process of recovering evidence from the RAM (Random Access Memory) of a device. RetroScope makes a copy of the memory (RAM data) from the device and recreates information such as texts or emails from the device. An investigator can see all app screens that were previously accessed by the user. Terrorists are known to use an application called Telegram that is extremely secure and encrypts everything on the phone. With RetroScope, the data on the phone is recreated and made available to law enforcement. An investigator can see exactly what the suspect was communicating before or during the crime. Any data left on the memory of the device can be extracted and used as evidence.
In a recent case, cyber forensics was used at a restaurant where patrons’ credit card information was being stolen. A forensic investigator was called in, but he couldn’t crack the case. With more customers being hacked, the restaurant was finally sued, and they called in a more advanced forensic analyst to look over their system. The forensic analyst realized there was malware on the restaurant’s point of sale system, exporting credit card information with each swipe. The hacker was leveraging the volatile RAM (e.g. the system's short-term memory) to hide the malware, and the first investigator had missed it. Saltaformaggio is among a small group of researchers pioneering the investigation of volatile RAM and the power of memory forensics in cases such as this.
“The first investigator was only considering the static files stored on the disk of the computer,” said Saltaformaggio. “At the time, the forensic investigator wasn’t considering volatile RAM as a hiding place for malware. From research like mine, investigators now know that a device’s RAM is a viable place to harbor malware. You have to look everywhere in these investigations, leaving no stone unturned.”
A deep dive into digital devices through Saltaformaggio’s forensic techniques will redefine the world of cyber security. According to Saltaformaggio, at present, investigating crimes that involve digital devices as evidence is done in a very ad hoc manner, with much digital evidence being left behind.
“We need to design more holistic cyber forensic techniques that take into account the entire digital system, and not just a single piece of evidence that investigators happen to find. It requires a paradigm shift in the way people think about cyber forensics. It’s no longer just a tool to be used in a larger investigation; it’s actually the driver of the investigation itself.” - Brendan Saltaformaggio
Saltaformaggio's ongoing research is paving the way to incorporate a full assessment of digital devices into criminal investigations. And if he is successful, investigators will stop leaving so much digital evidence behind and potentially increase their solve rate.
Eradicating Malware: Beating cyber criminals at their own game
Today, cyber crime is everywhere and affects nearly everyone – the recent Equifax breach left millions of people exposed to identity theft. Ever the engineer, Saltaformaggio got into cyber forensics because he recognized a problem that needed a solution, specifically the problem of malware.
Malware is software that is intended to damage or disable computers and computer systems. It can be extremely destructive; one type of malware recently targeted an Iranian nuclear facility and very slowly degraded the physical hardware, causing it to break well ahead of schedule. Malware tends to be very complex pieces of code with many layers of behavior.
What most people don’t know, is that malware is a commercially viable industry. People go to work specifically to create malware, and there are annual conferences that even award coders for the malware that has infected the most devices. Malware companies create the malicious code that is then sold to people who want to steal information.
“In my lab, we are working on malware attacks against critical infrastructure,” said Saltaformaggio. “Malware is extremely sophisticated and targeted, and it’s become increasingly harder to eradicate. My research hopes to prevent malware attacks and make people safer through cyber security.”
Smartphone users are already reaping the benefits of Saltaformaggio’s research. He recently developed a tool to identify malicious apps in the iOS app store. Cyber criminals have been hiding malware in apps that slip through the cracks at Apple. Saltaformaggio’s tool automates a search to detect apps with malware, and recently found that seven percent of apps in the app store that they tested had malware in them. Apple has improved its vetting process based on the findings from Saltaformaggio’s team.
Saltaformaggio measures his work by asking: Are we safer today than we were before we started this project? Between helping put away criminals and rooting out malware on consumer devices, Saltaformaggio has every intention of making the virtual world a safer place.