Digital Forensics and Security Vulnerabilities in GPU

Yazeed Albabtain, Purdue University


The purpose of this research is to perform a graphics recovery process on the GPU in line with the principles of computer forensics. The research investigates three different venues in the GPU forensics field. The first venue targets the recovery of images and web-pages. The researchers tested the possibility of recovering artifacts of last visited web pages and last opened images from the GPUs global memory. The tested types of images are JPEG, TIFF, and BMP graphic file formats of 64x64 pixels, 100x100 pixels, 200x200 pixels, 245x256 pixels, 512x512 pixels, and 1024x1024 pixels in size. Other variables, such as the choice of OS, GPU, and GPU driver, were also tested to measure the effectiveness on the proposed method. The research indicates that recovering artifacts from the GPUs global memory is possible using a set of unique pixel patterns. The research highlights three challenges of implementing forensic techniques on GPUs: 1) elusive global memory allocation scheme of GPUs; 2) varying levels of support for different GPU drivers; and 3) the prerequisite of using certain types of OS and applications. The second venue is GPU video forensics which investigates the possibility of recovering video artifacts from NVIDIA GPU. The tested video specs are 512 x 512 in resolution for video 1 and 800 x 600 in resolution for video 2. Both videos are mpeg4 video codec. A VLC and GOM video players were used in the experiment. A special program has been developed using OpenCL to recover 1) patterns that are frames consist of pixel values and 2) dump data from the GPU global memory. The dump data that represent the video frame were located using simple steps. The recovery process was successful. For 512 x 512 resolution video, the frames were partially recovered but it shows enough information for the forensics investigator to determine what was viewed last. The research indicates that it is harder, but not impossible, to obtain a viewable frame from higher-resolution video. The third venue of this research targets the security side of the GPU by reverse engineer a unique family of malware, namely the Win Jelly and the Demon keylogger, that escapes detection by utilizing AMD and NVIDIA Graphics Processing Units (GPUs) as a hideout. Static and dynamic analysis of Win Jelly and Demon were presented to gain a deeper understanding about the behavior of these malware and how they exploit the GPU, two separate techniques were developed using OpenCL and CUDA to completely remove the malware from the GPU and to help avoid future threats. The proposed method and tools successfully removed the malicious files from the GPU without any drawbacks.




Yang, Purdue University.

Subject Area

Computer Engineering|Computer science

Off-Campus Purdue Users:
To access this dissertation, please log in to our
proxy server