Memory Carving in Embedded Devices: Separate the Wheat from the Chaff

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9696)


This paper investigates memory carving techniques for embedded devices. Given that cryptographic material in memory dumps makes carving techniques inefficient, we introduce a methodology to distinguish meaningful information from cryptographic material in small-sized memory dumps. The proposed methodology uses an adaptive boosting technique with statistical tests. Experimented on EMV cards, the methodology recognized 92% of meaningful information and \(98\,\%\) of cryptographic material.


Forensics Memory carving Randomness Embedded devices Smartcards Privacy 


  1. 1.
    Alcover, P.M., Guillamón, A., del Ruiz, M.C.: A new randomness test for bit sequences. Informatica 24(3), 339–356 (2013)MathSciNetGoogle Scholar
  2. 2.
    Avoine, G., Kalach, K., Quisquater, J.-J.: ePassport: securing international contacts with contactless chips. In: Tsudik, G. (ed.) FC 2008. LNCS, vol. 5143, pp. 141–155. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Burdach, M.: Physical memory forensics (2006).
  4. 4.
    Calypso CNA: Calypso.
  5. 5.
    Cohen, M.I.: Advanced carving techniques. Digital Invest. 4(3), 119–128 (2007)CrossRefGoogle Scholar
  6. 6.
    Coisel, I., Sanchez, I., Shaw, D.: Physical attacks against the lack of perfect forward secrecy in dect encrypted communications and possible countermeasures. In: International Wireless Communications and Mobile Computing Conference (IWCMC). pp. 594–599 (2015)Google Scholar
  7. 7.
    Doğanaksoy, A., Çalık, C., Sulak, F., Turan, M.S.: New randomness tests using random walk. In: National Cryptology Symposium II (2006)Google Scholar
  8. 8.
    EMVCo: EMV integrated circuit card specifications for payment systems, June 2008Google Scholar
  9. 9.
    Freund, Y., Schapire, R., Abe, N.: A short introduction to boosting. J. Jpn. Soc. Artif. Intell. 14(5), 771–780 (1999)Google Scholar
  10. 10.
    Friedman, W.F.: The Index of Coincidence and its Applications in Cryptanalysis. Aegean Park Press, California (1987)Google Scholar
  11. 11.
    Hastie, T., Rosset, S., Zhu, J., Zou, H.: Multi-class adaboost. Stat. Interface 2(3), 349–360 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Kajdanowicz, T., Kazienko, P.: Boosting-based sequential output prediction. New Gener. Comput. 29(3), 293–307 (2011)CrossRefzbMATHGoogle Scholar
  13. 13.
    Knuth, D.E.: The Art of Computer Programming: Seminumerical Algorithms, vol. 2. Addison-Wesley, Reading (1997)zbMATHGoogle Scholar
  14. 14.
    Lanet, J.L., Bouffard, G., Lamrani, R., Chakra, R., Mestiri, A., Monsif, M., Fandi, A.: Memory forensics of a java card dump. Smart Card Research and Advanced Applications. LNCS, vol. 8968, pp. 3–17. Springer, Heidelberg (2014)Google Scholar
  15. 15.
    Laurie, A.: Rfidiot.
  16. 16.
    Pannetrat, A.: Cardpeek.
  17. 17.
    Pedregosa, F., Varoquaux, G., Gramfort, A., Michel, V., Thirion, B., Grisel, O., Blondel, M., Prettenhofer, P., Weiss, R., Dubourg, V., et al.: Scikit-learn: machine learning in python. J. Mach. Learn. Res. 12, 2825–2830 (2011)MathSciNetzbMATHGoogle Scholar
  18. 18.
    Poisel, R., Tjoa, S.: A comprehensive literature review of file carving. In: 2013 Eighth International Conference on Availability, Reliability and Security (ARES), pp. 475–484. IEEE (2013)Google Scholar
  19. 19.
    Rukhin, A., Soto, J., Nechvatal, J., Smid, M., Barker, E., Leigh, S., Levenson, M., Vangel, M., Banks, D., Heckert, A., Dray, J., Vo, S.: A statistical test suite for random and pseudorandom number generators for cryptographic applications. Technical report, DTIC Document April 2010Google Scholar
  20. 20.
    Shamir, A., van Someren, N.: Playing hide and seek with stored keys. In: Franklin, M.K. (ed.) FC 1999. LNCS, vol. 1648, pp. 118–124. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  21. 21.
    SKIDATA AG: Skidata.
  22. 22.
    Su, J., Zhang, H.: A fast decision tree learning algorithm. AAAI 6, 500–505 (2006)Google Scholar
  23. 23.
    Sulak, F.: A new statistical randomness test: saturation point test. Int. J. Inf. Secur. Sci. 2(3), 81–85 (2013)Google Scholar
  24. 24.
    Sulak, F., Doğanaksoy, A., Ege, B., Koçak, O.: Evaluation of randomness test results for short sequences. In: Carlet, C., Pott, A. (eds.) SETA 2010. LNCS, vol. 6338, pp. 309–319. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  25. 25.
    Van Deursen, T., Mauw, S., Radomirovic, S.: mCarve: carving attributed dump sets. In: USENIX Security Symposium. pp. 107–121 (2011)Google Scholar
  26. 26.
    Yoo, B., Park, J., Lim, S., Bang, J., Lee, S.: A study on multimedia file carving method. Multimedia Tools Appl. 61(1), 243–261 (2012)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Normandie Univ, ENSICAEN, UNICAEN, CNRS, GREYCCaenFrance
  2. 2.INSA Rennes, IRISA UMR 6074RennesFrance
  3. 3.Institut Universitaire de FranceParisFrance

Personalised recommendations