Robert J. Walls

Learn More
We present DEC0DE, a system for recovering information from phones with unknown storage formats, a critical problem for forensic triage. Because phones have myriad custom hardware and software, we examine only the stored data. Via flexible descriptions of typical data structures, and using a classic dynamic programming algorithm, we are able to identify(More)
Any individual that re-registers an expired domain implicitly inherits the residual trust associated with the domain's prior use. We find that adversaries can, and do, use malicious re-registration to exploit domain ownership changes - undermining the security of both users and systems. In fact, we find that many seemingly disparate security problems share(More)
Peer-to-peer networks are the most popular mechanism for the criminal acquisition and distribution of child pornography (CP). In this paper, we examine observations of peers sharing known CP on the eMule and Gnutella networks, which were collected by law enforcement using forensic tools that we developed. We characterize a year's worth of network activity(More)
Many technical mechanisms across computer security for attribution, identification, and classification are neither sufficient nor necessary for forensically valid digital investigations; yet they are often claimed as useful or necessary. Similarly, when forensic research is evaluated using the viewpoints held by computer security venues, the challenges,(More)
Covert timing channels provide a way to surreptitiously leak information from an entity in a higher-security level to an entity in a lower level. The difficulty of detecting or eliminating such channels makes them a desirable choice for adversaries that value stealth over throughput. When one considers the possibility of such channels transmitting(More)
In 2011, Adblock Plus---the most widely-used ad blocking software---began to permit some advertisements as part of their Acceptable Ads program. Under this program, some ad networks and content providers pay to have their advertisements shown to users. Such practices have been controversial among both users and publishers. In a step towards informing the(More)
The price of Internet services is user information, and many pay it without hesitation. While myriad privacy tools exist that thwart the detailed compilation of information about user habits, these tools often assume that reduced functionality is always justified by increased privacy. In contrast, we propose the adoption of functional privacy as a guiding(More)
We present Ares, a reverse engineering technique for assisting in the analysis of data recovered for the investigation of mobile and embedded systems. The focus of investigations into insider activity is most often on the data stored on the insider's computers and digital device - call logs, email messaging, calendar entries, text messages, and browser(More)
When forensic triage techniques designed for feature phones are applied to smart phones, these recovery techniques return hundreds of thousands of results, only a few of which are relevant to the investigation. We propose the use of relevance feedback to address this problem: a small amount of investigator input can efficiently and accurately rank in order(More)
Situation awareness depends on a reliable perception of the environment and comprehension of its semantic structures. In this respect, the cyberspace presents a unique challenge to the situation awareness of users and analysts, since it is a unique combination of human and machine elements, whose complex interactions occur in a global communication network.(More)