Golden G. Richard III, an expert in digital forensics and cybersecurity, will join the faculty of LSU’s College of Engineering in spring 2017 as a professor of computer science and will work in LSU’s Center for Computation and Technology. Richard has been a faculty member at the University of New Orleans since 1994.
He’ll be teaching LSU’s first malware reverse-engineering course, which involves dissecting computer viruses, ransomware and other forms of malware to determine what they do, how they spread and potentially how to detect them.
We recently spoke to Richard about his current work.
In lay terms, what is memory forensics?
Traditionally computer forensics (or digital forensics) was concerned only with evidence stored on hard drives, USB thumb drives, etc. These storage devices retain data when power is removed from the computer system, or when the thumb drive is removed from the computer system. These techniques targeted the recovery of deleted files, discovery of web browsing activities, attempts to deliberately hide data, etc. The problem is that there’s more evidence to be found, specifically in the computer’s RAM, and these techniques completely miss this evidence. Memory forensics to the rescue! Memory forensics techniques are used to capture a copy of the computer’s RAM before the machine is turned off. Then, by analyzing the RAM copy, we can find all sorts of interesting evidence, including malicious applications that can be hidden and stealing user data, illicit network connections and more.
One of my former students and current collaborators is the co-author of a book on memory forensics that explains the topic in great detail. The book is called “The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory.” I was the technical editor on the book.
What are you working on now?
The research focus now is how to detect "user-level" malware — malware that operates without infecting the computer's operating system. This research is being conducted with one of my former students, Andrew Case, who is a member of the Volatility Foundation, which supports development of the most popular memory forensics tool set. We just submitted a grant request to the National Science Foundation to fund this and other work in memory forensics. We should know in about six months whether this grant will be funded.
What are some situations where memory forensics is used?
Memory forensics is useful in many circumstances, but it really stands out in malware analysis. Antivirus may miss indicators that computers are infected with spyware and other types of malware, but memory forensics techniques can be used to better detect, isolate and understand the impact of malware infections.
Can you describe “user-level” malware?
There are two primary types of malware. “Kernel-level” malware infects the operating system. This is generally disastrous, as now the entire computer is compromised and potentially untrustworthy. Operating systems vendors, however, continue to introduce security features that make writing kernel-level malware more difficult. Malware authors, therefore, turn to user-level malware, which infects applications — for example, malicious code injected into Skype to monitor communications, or a web browser to steal data entered into online financial forms. My research with Andrew Case involves memory forensics to detect user-level malware. This currently impacts investigators the most, but our hope is that the research will “trickle down” into security products that benefit home users, too.
How can students best prepare themselves to work in this field?
The most important thing that’s required in this field is self-study. First, learn absolutely everything you can about operating systems and low-level programming. Also, it’s great to take cybersecurity courses, but you must stay current and constantly stretch your understanding of the state of the art in the field. This can be exhausting, which explains why the most successful people in cybersecurity also consider the study of cybersecurity to be something of a hobby — it’s something they want to do, not simply have to do. In terms of staying afloat, perhaps the best way to do this is to use Twitter. Monitoring the hashtags #DFIR and #INFOSEC will really help you stay current. Things change in cybersecurity every minute, and these live feeds generally give you a good idea of what’s happening.
For students who study this type of cybersecurity, which industries will need their skills?
There are a number of choices. Some will work for private companies. These jobs might involve research and development of new cybersecurity tools (e.g. working at an antivirus company like Kaspersky or McAfee) or using advanced cybersecurity techniques to protect computer systems and networks (e.g. at a bank, as a security specialist). Others might work in law enforcement, for the intelligence community or other areas of government. There are many options, and there’s also tremendous demand.