Trail of bytes: efficient support for forensic analysis

For the most part, forensic analysis of computer systems requires that one first identify suspicious objects or events, and then examine them in enough detail to form a hypothesis as to their cause and effect. Sadly, while our ability to gather vast amounts of data has improved significantly over the past two decades, it is all too often the case that we tend to lack detailed information just when we need it the most. Simply put, the current state of computer forensics leaves much to be desired. In this paper, we attempt to improve on the state of the art by providing a forensic platform that transparently monitors and records data access events within a virtualized environment using only the abstractions exposed by the hypervisor. Our approach monitors accesses to objects on disk and follows the causal chain of these accesses across processes, even after the objects are copied into memory. Our forensic layer records these transactions in a version-based audit log that allows for faithful, and efficient, reconstruction of the recorded events and the changes they induced. To demonstrate the utility of our approach, we provide an extensive empirical evaluation, including a real-world case study demonstrating how our platform can be used to reconstruct valuable information about the what, when, and how, after a compromised has been detected.

[1]  Margo I. Seltzer,et al.  Provenance-Aware Storage Systems , 2006, USENIX ATC, General Track.

[2]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[3]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[4]  Margo I. Seltzer,et al.  Provenance for the Cloud , 2010, FAST.

[5]  Ben Shneiderman,et al.  Response time and display rate in human performance with computers , 1984, CSUR.

[6]  Xu Chen,et al.  Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[7]  Fabian Monrose,et al.  TimeCapsule: secure recording of accesses to a protected datastore , 2009, VMSec '09.

[8]  Tal Garfinkel,et al.  Compatibility Is Not Transparency: VMM Detection Myths and Realities , 2007, HotOS.

[9]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[10]  David Lie,et al.  Hypervisor Support for Identifying Covertly Executing Binaries , 2008, USENIX Security Symposium.

[11]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[12]  Gil Neiger,et al.  IntelŴVirtualization Technology: Hardware Support for Efficient Processor Virtualization , 2006 .

[13]  Eyal de Lara,et al.  The taser intrusion recovery system , 2005, SOSP '05.

[14]  Robert P. Goldberg,et al.  Survey of virtual machine research , 1974, Computer.

[15]  Ravishankar K. Iyer,et al.  Defeating memory corruption attacks via pointer taintedness detection , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[16]  Samuel T. King,et al.  Enriching Intrusion Alerts Through Multi-Host Causality , 2005, NDSS.

[17]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[18]  Andrea C. Arpaci-Dusseau,et al.  Geiger: monitoring the buffer cache in a virtual machine environment , 2006, ASPLOS XII.

[19]  Sean Quinlan,et al.  Venti: A New Approach to Archival Storage , 2002, FAST.

[20]  Ashvin Goel,et al.  Application-level isolation and recovery with solitude , 2008, Eurosys '08.

[21]  Caroline Jay,et al.  Modeling the effects of delayed haptic and visual feedback in a collaborative virtual environment , 2007, TCHI.

[22]  Massimo Cotrozzi,et al.  ATP - Anti-Tampering Program , 1993, USENIX Security Symposium.

[23]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[24]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[25]  Eugene H. Spafford,et al.  On the role of file system metadata in digital forensics , 2004, Digit. Investig..

[26]  Brian D. Noble,et al.  When Virtual Is Better Than Real , 2001 .

[27]  Keith Marzullo,et al.  Computer Forensics in Forensis , 2008, 2008 Third International Workshop on Systematic Approaches to Digital Forensic Engineering.

[28]  Sean Matthew Dorward,et al.  Awarded Best Paper! - Venti: A New Approach to Archival Data Storage , 2002 .

[29]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[30]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[31]  Larry Peterson,et al.  Proceedings of the nineteenth ACM symposium on Operating systems principles , 2003, SOSP 2003.

[32]  Andrea C. Arpaci-Dusseau,et al.  Antfarm: Tracking Processes in a Virtual Machine Environment , 2006, USENIX Annual Technical Conference, General Track.

[33]  Shankar Pasupathy,et al.  Measurement and Analysis of Large-Scale Network File System Workloads , 2008, USENIX Annual Technical Conference.

[34]  Dan Farmer,et al.  Forensic Discovery , 2004 .

[35]  Herbert Bos,et al.  Pointless tainting?: evaluating the practicality of pointer tainting , 2009, EuroSys '09.

[36]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).