Authors: Muhammad Shaharyar Yaqub, Wooyeon Jo, Tameer Nadeem, Erdem Topsakal, Irfan Ahmed
DFRWS USA 2026
Abstract
Medical devices increasingly operate as networked computing platforms, yet incident response remains difficult because many regulated systems restrict logging, execution, and evidence collection. Point-of-care ultrasound (POCUS) devices are especially challenging: they are workflow-driven, safety-adjacent, and often run embedded, vendor-managed Windows stacks that handle patient-associated data while limiting investigator access. This paper, to our knowledge, presents the first end-to-end forensic readiness and physical-memory forensics study of a POCUS ultrasound platform, using the GE Venue Ultrasound system as a case study.
We introduce URSA, a volatile-first readiness workflow for constrained ultrasound devices, and operationalize it with a UI-state-driven acquisition design that ties memory collection to observable clinical modes. Across seven full physical memory dumps captured before and after controlled scan-and-review interactions, we demonstrate repeatable acquisition under segmented storage and restrictive execution boundaries. Memory analysis reconstructs the clinical launch chain and yields both security-relevant artifacts and clinical exposure artifacts, including structured patient-associated logs and renderable diagnostic images recovered from RAM, with persistence characterized across states and time offsets. We complement volatile results with targeted disk-side context to quantify permission boundaries and corroborate selected findings. These findings provide practical guidance for improving forensic readiness and privacy-aware response on regulated ultrasound platforms.