Brendan Dolan-Gavitt's Research Home Page
Jump to: Biography | Current Projects | Publications | Software | Blog
I'm a first year Ph.D. student at Georgia Tech, working in the Georgia Tech Information Security Center (GTISC). My interests lie in the area of systems security, and in particular finding ways to use virtualization to improve the security of commodity operating systems like Windows. I am also active in the rapidly growing field of memory forensics, and have published papers on extracting forensically relevant information from images of RAM. I received my B.A. in Mathematics and Computer Science from Wesleyan University in 2006, and spent two years working as an information security analyst and researcher for the MITRE Corporation. Currently, I am co-advised by Dr. Jonathon Giffin and Dr. Wenke Lee.
- Coming soon!
- Dolan-Gavitt, Brendan. The VAD tree: A process-eye view of physical memory. Digital Investigation, Volume 4, Supplement 1, September 2007, Pages 62-64. [pdf] [slides] [BibTex]
- Dolan-Gavitt, Brendan. Forensic analysis of the Windows registry in memory. Digital Investigation, Volume 5, Supplement 1, September 2008, Pages S26-S32. [pdf] [slides] [BibTex]
- Virtual Address Descriptor Tools
- The VAD tools are a set of scripts for working with Virtual Address Descriptor structures in dumps of Windows physical memory to provide detailed information about a process's memory allocations to a forensic investigator. (Note: the functionality of these tools has now been implemented in Volatility, and their use is no longer recommended.)
- PDBparse
- PDBparse is a GPL-licensed library for parsing Microsoft PDB files. Support for these is already available within Windows through the Debug Interface Access API, however, this interface is not usable on other operating systems. PDB files provide a way to access debugging information about programs compiled with Microsoft Visual Studio, and can enable interesting applications such as extracting the Windows kernel data structures or finding non-exported kernel global vairables, all without access to the source.
- Volatility
- Along with AAron Walters and several others, I help develop and maintain Volatility, an open-source (GPL-licensed) memory forensics framework. Volatility can do a lot of really cool things with memory images, from listing processes and threads, to viewing open network connections, to reconstructing executable files out of memory. I have also written some small extensions that allow it to interpret the memory of live virtual machines under Xen, using the XenAccess library.
