Research Interests

My research lies in the overlap between memory forensics, operating systems internals, incident response, reverse engineering / malware analysis, systems programming, high performance computing, and massively threaded applications. Most of it is very applied and concerned with how systems work at a low level and in fine detail. I am completely unapologetic about the applied nature of my research, and highly skeptical of “click-bait” research that gets tons of press (or generates tons of publications) but has little practical impact.

I’m active in the academic, government, and professional research communities in computer security, and serve on the Executive Committee of the Digital Forensics Research Workshop (DFRWS), the Editorial Board of the Journal of Digital Investigation, and the Editorial Board of Computers and Security (COSE). I’m also a Fellow of the American Academy of Forensic Sciences. In digital and memory forensics I’ve concentrated on developing novel tools and techniques to make investigation easier, faster, and more productive. Other funded projects are listed in my CV.

My current focus is scalpel3, a massively threaded architecture for recovery of fragmented data (e.g. from damaged filesystems or flash media). Yes, I know it’s NP-hard. :) scalpel3 is a complete rewrite of the open-source Scalpel file carver, which I created in 2005 and which has since become a widely used data-recovery tool. The original Scalpel paper was among the first to address high-performance carving and spurred a large body of academic research. I then enhanced Scalpel with Vico Marziale — multithreading, in-place carving, GPU acceleration, and more. scalpel3 emphasizes practical solutions to data fragmentation for selected file types, as fast as possible on modern hardware. It isn’t open-sourced yet, but will be before long.

I also recently completed a cybersecurity book with Chris Hoofnagle of Berkeley, Cybersecurity in Context, published by Wiley in 2024.

I collaborated with Andrew Case of the Volatility Foundation, Aisha Ali-Gombe, and many graduate and undergraduate students on improving the reliability of memory forensics tools via a comprehensive fuzzing architecture called Gaslight, plus a platform for automatically delivering custom memory images and improved strategies for userland memory forensics. Supported through NSF (SaTC: CORE: Medium, Award #1703683, PI: Richard, $1,113,426) and our Scholarships for Service grant. The work produced numerous papers and two Black Hat talks.

Aisha Ali-Gombe and I also developed new approaches to teaching malware analysis, funded by NSA (“Introducing Active Learning to Malware Analysis Curricula,” PI: Richard, $210,131; co-PI: Ali-Gombe).

From 2013–2017 I collaborated with Xiangyu Zhang and Dongyan Xu of Purdue on systematic investigation of advanced targeted attacks in enterprise networks, relying on automatic reverse engineering and binary instrumentation to connect audit logs, executables, and data recovered from memory and disk. Funded by NSF (TWC: Medium: Collaborative, Award #1409534, PI: Richard, $511,193).

From 2010–2013 I worked with Irfan Ahmed and others on live forensics combined with virtual machine introspection, to reconstruct historical events of forensic interest and detect malicious software. Funded by NSF (TC-Small, Award #1016807, PI: Richard, $598,664).

I’ve also collaborated with Carl Weems of Iowa State and Irfan Ahmed of the University of New Orleans on the psychological underpinnings of cybercrime — how anxiety and callous traits affect usable security and susceptibility to social engineering. Funded by NSF (EAGER, $223,022; PI: Ahmed).

Not too long ago I worked with Vassil Roussev and Irfan Ahmed on two further NSF grants — using container technologies for cybersecurity training ($300K) and peer instruction in cybersecurity ($300K, with Cynthia Bailey Lee of Stanford).

With Vassil Roussev I developed DELV, a distributed computing framework for digital forensics that runs on commodity clusters and dramatically improves performance on large forensic targets — accelerating keyword search, image thumbnailing, and file carving, and enabling evidence correlation and steganography detection. The DELV paper was the first to apply HPC principles to digital forensics and challenged single-workstation tool architectures; roughly a decade later the commercial industry embraced the idea (e.g. AccessData’s FTK). A natural follow-up used modern GPUs (NVIDIA G80 and successors) to accelerate techniques such as file carving — work with Vico Marziale that was presented at DFRWS and featured in NVIDIA’s GPU computing showcase.

In the more distant past I worked across experimental computer science: distributed computing, reliable HPC, computer graphics, mobile computing, sensor networks, service discovery protocols, reliable multicast, and network visualization. Highlights:

• Improving unicast and multicast routing in ad hoc wireless networks (with Ph.D. students Abdul Altalhi and Lawrence Klos).
• Design of a novel wireless intrusion detection system (WIDS, with ATC-NY).
• One of the first full-featured service discovery protocols for wireless sensor networks (TinySDP, with Loren Schwiebert).
• The first book on service discovery protocols (Service and Device Discovery: Protocols and Programming, McGraw-Hill) — covering Jini, UPnP, SLP, and Bluetooth SDP.
• A network architecture for interoperability between Jini and Universal Plug and Play.
• A textbook on mobile computing with Frank Adelstein, Sandeep Gupta, and Loren Schwiebert (Fundamentals of Mobile and Pervasive Computing, McGraw-Hill).
• Bessie, a network topology generation and visualization tool supporting earlier ad hoc networking research.
• The first scheme and paper on using message logging to reduce checkpointing overhead in reliable distributed shared memory systems.