Photo of Brendan Dolan-Gavitt

3115 Klaus Advanced Computing Building
(617) 913-9060

Brendan Dolan-Gavitt's Research Home Page

Jump to: Biography | Publications | Software | Blog

I have moved! Please check out my homepage at NYU for the most up-to-date information.


I'm a sixth year Ph.D. student at Georgia Tech, working in the Georgia Tech Information Security Center (GTISC). My interests lie in the area of systems security, and in particular developing automated techniques for understanding computing systems and using that understanding to develop novel defenses. I am also active in the rapidly growing field of memory forensics, and have published papers on extracting forensically relevant information from images of RAM. I received my B.A. in Mathematics and Computer Science from Wesleyan University in 2006, and spent two years working as an information security analyst and researcher for the MITRE Corporation. Currently, I am advised by Dr. Wenke Lee.

I am currently seeking a tenure-track research faculty position for Fall of 2014. Interested parties should peruse my curriculum vitae, research statement, and teaching statement.





PANDA: Platform for Architecture-Neutral Dynamic Analysis
PANDA is the Platform for Architecture-Neutral Dynamic Analysis. It is a platform based on QEMU 1.0.1 and LLVM 3.3 for performing dynamic software analysis, abstracting architecture-level details away with a clean plugin interface. Particularly notable features include Android platform emulation and support for deterministic record and replay. It is currently being developed in collaboration with MIT Lincoln Laboratory, Georgia Tech, and Northeastern University.
Virtuoso is a system for automatically generating tools that can be used to introspect into virtual machines or extract information from memory images. It consists of a dynamic tracing system that records the execution of an in-guest program, and an analysis and translation component that converts the traces into a compact, out-of-guest program that computes the same result. More details can be found in our 2011 IEEE Security and Privacy paper.
Virtual Address Descriptor Tools
The VAD tools are a set of scripts for working with Virtual Address Descriptor structures in dumps of Windows physical memory to provide detailed information about a process's memory allocations to a forensic investigator. (Note: the functionality of these tools has now been implemented in Volatility, and their use is no longer recommended.)
PDBparse is a GPL-licensed library for parsing Microsoft PDB files. Support for these is already available within Windows through the Debug Interface Access API, however, this interface is not usable on other operating systems. PDB files provide a way to access debugging information about programs compiled with Microsoft Visual Studio, and can enable interesting applications such as extracting the Windows kernel data structures or finding non-exported kernel global vairables, all without access to the source.
Along with AAron Walters and several others, I help develop and maintain Volatility, an open-source (GPL-licensed) memory forensics framework. Volatility can do a lot of really cool things with memory images, from listing processes and threads, to viewing open network connections, to reconstructing executable files out of memory. I have also written some small extensions that allow it to interpret the memory of live virtual machines under Xen, using the XenAccess library.

Other Sites of Interest