Seance: Divination of tool-breaking changes in forensically important binaries

The value of memory analysis during digital forensics, incident response, and malware investigations has been realized for over a decade. The power of memory forensics is based on the fact that volatile memory contains a substantial number of artifacts that are simply never recorded to disk or sent across the network in plaintext form. Orderly recovery of this data, known as structured analysis, allows for recovery of the full system state at the time of acquisition. For structured analysis to be successful, a memory analysis framework must have an accurate model of the data structures and algorithms of the target operating system and applications. Unfortunately, acquiring this layout is often a difficult task for even one version of an executable module, and the problem is only compounded when support for a wide variety of versions is desired. This issue can be manifested in several ways, including forensics frameworks being unable to process memory samples containing unsupported versions of executable code or worse, generating erroneous or incomplete results. Given the vital role memory analysis plays in modern investigations, these issues are unacceptable. In this paper, we present Seance, a system that implements automated binary analysis to provide accurate data structure layout information for different versions of targeted executed modules. The results of Seance can be consumed by analysis frameworks to accurately support all versions of a target module.