Abstract
While static examination of computer systems is an important part of many digital forensics investigations, there are often important system properties present only in volatile memory that cannot be effectively recovered using static analysis techniques, such as offline hard disk acquisition and analysis. An alternative approach, involving the live analysis of target systems to uncover this volatile data, presents significant risks and challenges to forensic investigators as observation techniques are generally intrusive and can affect the system being observed. This paper provides a discussion of live digital forensics analysis through virtual introspection and presents a suite of virtual introspection tools developed for Xen (VIX tools). The VIX tools suite can be used for unobtrusive digital forensic examination of volatile system data in virtual machines, and addresses a key research area identified in the virtualization in digital forensics research agenda [22].
- Access Data. Retrieved August 10, 2007 from http://www.accessdata.com/Google Scholar
- Asrigo, K. L. Litty, D. Lie. Using VMM-Based Sensors to Monitor Honeypots. In Proceedings of the 2nd ACM/USENIX International Conference on Virtual Execution Environments (VEE 2006), June, 2006. Google ScholarDigital Library
- Beyond the CPU: Defeating Hardware Based RAM Acquisition. Retrieved November 15, 2007 from http://i.i.com.com/cnwk.1d/i/z/200701/bh-dc-07-Rutkowska-ppt.pdfGoogle Scholar
- Carrier, B., and Grand, J. A hardware-based memory acquisition procedure for digital investigations. The International Journal of Digital Forensics & Incident Response. Retrieved November 15, 2007 from www.sciencedirect.com. Google ScholarDigital Library
- Crosby, S., and Brown, D. (2006). The Virtualization Reality. ACM Queue, December/January 2006--2007, pp. 34--41 Google ScholarDigital Library
- Data Center Management Research Report September 2007. Retrieved November 15, 2007 from http://www.novell.com/products/zenworks/orchestrator/data_center_research_report_sep2007.pdfGoogle Scholar
- Garfinkel, T. and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the 10th Annual Symposium on Network and Distributed System Security (NDSS 2003), pages 191--206, Feb. 2003.Google Scholar
- Grand Ideas Studio: Tribble. Retrieved November 15, 2007 from http://www.grandideastudio.com/src/portfolio.php? cat=&prod=14Google Scholar
- Guidance Software, Inc. EnCase. Retrieved August 10, 2007 from http://www.guidancesoftware.com/Google Scholar
- Hit by a Bus: Physical Access Attacks with Firewire. http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdfGoogle Scholar
- Introducing Blue Pill. Retrieved November 15, 2007 from http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.htmlGoogle Scholar
- Jiang, X., Wang, X., and Xu, D. 2007. Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA, October 28--31, 2007). CCS '07. ACM, New York, NY, 128--138. DOI=http://doi.acm.org/10.1145/1315245.1315262 Google ScholarDigital Library
- Kernel based Virtual Machine. Retrieved November 18, 2007 from http://kvm.qumranet.com/kvmwiki.Google Scholar
- Kourai, K. and Chiba, S. 2005. HyperSpector: virtual distributed monitoring environments for secure intrusion detection. In Proceedings of the 1st ACM/USENIX international Conference on Virtual Execution Environments (Chicago, IL, USA, June 11 - 12, 2005). VEE '05. ACM, New York, NY, 197--207. DOI=http://doi.acm.org/10.1145/1064979.1065006 Google ScholarDigital Library
- Litty, L. and Lie, D. 2006. Manitou: a layer-below approach to fighting malware. In Proceedings of the 1st Workshop on Architectural and System Support For Improving Software Dependability (San Jose, California, October 21 - 21, 2006). ASID '06. ACM, New York, NY, 6--11. DOI=http://doi.acm.org/10.1145/1181309.1181311 Google ScholarDigital Library
- Microsoft Virtual PC Server. Retrieved July 15, 2007 from http://www.microsoft.com/windows/products/wiGoogle Scholar
- National Security Agency Central Security Service -- Technology Profile Fact Sheet. Retrieved November 15, 2007 from http://www.nsa.gov/techtrans/techt00011.cfmGoogle Scholar
- Parallels. Retrieved July 25, 2007 from http://www.parallels.com/Google Scholar
- ParavirtBenefits. Retrieved November 15, 2007 from http://virt.kernelnewbies.org/ParavirtBenefitsGoogle Scholar
- Payne, B. D., Sailer, R., Cáceres, R., Perez, R., and Lee, W. 2007. A layered approach to simplified access control in virtualized systems. SIGOPS Oper. Syst. Rev. 41, 4 (Jul. 2007), 12--19. DOI=http://doi.acm.org/10.1145/1278901.1278905 Google ScholarDigital Library
- Petroni, N. L. and Hicks, M. 2007. Automated detection of persistent kernel control-flow attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA, October 28--31, 2007). CCS '07. ACM, New York, NY, 103--115. DOI=http://doi.acm.org/10.1145/1315245.1315260 Google ScholarDigital Library
- Pollitt, M., Nance, K., Hay, B., Dodge, R., Craiger, P., Burke, P., Marberry, C., and Brubaker, B. Virtualization and Digital Forensics: A Research and Education Agenda in Journal of Digital Forensic Practice. Taylor & Francis, Philadelphia, PA. (in press) Google ScholarDigital Library
- QEMU. Open Source Process Emulator. Retrieved on November 18, 2007 from http://fabrice.bellard.free.fr/qemu/.Google Scholar
- Quynh, N. A. and Takefuji, Y. 2007. Towards a tamper-resistant kernel rootkit detector. In Proceedings of the 2007 ACM Symposium on Applied Computing (Seoul, Korea, March 11--15, 2007). SAC '07. ACM, New York, NY, 276--283. DOI=http://doi.acm.org/10.1145/1244002.1244070 Google ScholarDigital Library
- Red Hat Enterprise Linux 5 -- Virtualization. Retrieved November 15, 2007 from http://www.redhat.com/rhel/virtualization/Google Scholar
- Rosenblum, M. 2004. The Reincarnation of Virtual Machines. Queue 2, 5 (Jul. 2004), 34--40. Google ScholarDigital Library
- Seshadri, A., Luk, M., Qu, N., and Perrig, A. 2007. SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles (Stevenson, Washington, USA, October 14--17, 2007). SOSP '07. ACM, New York, NY, 335--350. DOI=http://doi.acm.org/10.1145/1294261.1294294 Google ScholarDigital Library
- SLES 10 -- Novell Virtualization Technology. Retrieved November 15, 2007 from http://www.novell.com/documentation/vmserver/pdfdoc/virtualization_basic/virtualization_basics.pdfGoogle Scholar
- UNIX man pages: ps. Retrieved November 15, 2007 from http://unixhelp.ed.ac.uk/CGI/man-cgi?psGoogle Scholar
- VMware. Retrieved November 18, 2007 from http://www.vmware.com.Google Scholar
- VMware White Paper: Understanding Full Virtualization, Paravirtualization, and Hardware Assist. Retrieved November 15, 2007 from http://www.vmware.com/files/pdf/VMware_paravirtualization.pdfGoogle Scholar
- XenAccess Documentation. Retrieved November 15, 2007 from http://xenaccess.sourceforge.net/doc/index.htmlGoogle Scholar
- Xensource. Retrieved July 27, 2007 from http://www.xensource.com/xen/xen/nfamily/virtualpc/default.mspxGoogle Scholar
- Xen: Mailing Lists. Retrieved November 15, 2007 from http://lists.xensource.com/Google Scholar
- Xu, M., Jiang, X., Sandhu, R., and Zhang, X. 2007. Towards a VMM-based usage control framework for OS kernel integrity protection. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (Sophia Antipolis, France, June 20--22, 2007). SACMAT '07. ACM, New York, NY, 71--80. DOI=http://doi.acm.org/10.1145/1266840.1266852 Google ScholarDigital Library
Recommendations
Evolution of digital forensics in virtualization by using virtual machine introspection
ACMSE '13: Proceedings of the 51st ACM Southeast ConferenceComputer virtualization is not a new technology, it has become increasingly important because of the many advantages it offers to businesses and individuals to reduce costs, while introducing new challenges to the field of digital forensics. As ...
A Virtual CPU Scheduling Model for I/O Performance in Paravirtualized Environments
RACS '17: Proceedings of the International Conference on Research in Adaptive and Convergent SystemsParavirtualization manages virtual machines and virtual resources efficiently by the communication between the virtualization layer and modified guest OSes. In a paravirtual environment, the I/O response of a virtual machine is hard to approach that of ...
Hybrid CPU Management for Adapting to the Diversity of Virtual Machines
As an important cornerstone for clouds, virtualization plays a vital role in building this emerging infrastructure. Virtual machines (VMs) with a variety of workloads may run simultaneously on a physical machine in the cloud platform. The scheduling ...
Comments