We present Ares ,areverseengineeringtechniqueforassist- ing in the analysis of data recovered for the investigation of mobile and embedded systems. The focus of investigations into insider activity is most often on the data stored on the insider’s computers and digital devices — call logs, email messaging, calendar entries, text messages, and browser his- tory — rather than on the status of the system’s security. Ares is novel in that it uses a data-driven approach that in- corporates natural language processing techniques to infer the layout of input data that has been created according to some unknown specification. While some other reverse engineering techniques based on instrumentation of executables o ff er high accuracy, they are hard to apply to proprietary phone archi- tectures. We evaluated the e ff ectiveness of Ares on call logs and contact lists from ten used Nokia cell phones. We created a rule set by manually reverse engineering a single Nokia phone. Without modification to that grammar, Ares parsed most phones’ data with 90% of the accuracy of a commercial forensics tool based on manual reverse engineering, and all phones with at least 50% accuracy even though the endianess for one phone changed.
Available at: http://works.bepress.com/erik_learned_miller/54/