Investigating the Implications of Virtual Machine Introspection for Digital Forensics

Researchers and practitioners in computer forensics currently must base their analysis on information that is either incomplete or produced by tools that may themselves be compromised as a result of the intrusion. Complicating these issues are the techniques employed by the investigators themselves. If the system is quiescent when examined, most of the information in memory has been lost. If the system is active, the kernel and programs used by the forensic investigators are likely to influence the results and as such are themselves suspect. Using virtual machines and a technique called virtual machine introspection can help overcome these limits, but it introduces its own research challenges. Recent developments in virtual machine introspection have led to the identification of four initial priority research areas in virtual machine introspection including virtual machine introspection tool development, applications of virtual machine introspection to non-quiescent virtual machines, virtual machine introspection covert operations, and virtual machine introspection detection.

[1]  Nick L. Petroni,et al.  Volatools : Integrating Volatile Memory Forensics into the Digital Investigation Process , 2007 .

[2]  Brian D. Carrier Risks of live digital forensic analysis , 2006, CACM.

[3]  Peter Ferrie Attacks on Virtual Machine Emulators , 2007 .

[4]  Matt Bishop,et al.  Virtual Machine Introspection: Observation or Interference? , 2008, IEEE Security & Privacy.

[5]  David Lorge Parnas,et al.  Concurrent control with “readers” and “writers” , 1971, CACM.

[6]  Matt Bishop,et al.  Inconsistency in deception for defense , 2006, NSPW '06.

[7]  Neil C. Rowe Counterplanning deceptions to foil cyber-attack plans , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[8]  William Cheswick An evening with Berferd , 1997 .

[9]  William A. Arbaugh,et al.  FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory , 2006, Digit. Investig..

[10]  James Bret Michael,et al.  On the response policy of software decoys: Conducting software-based deception in the cyber battlespace , 2002, Proceedings 26th Annual International Computer Software and Applications.

[11]  Brian Hay,et al.  Forensics examination of volatile system data using virtual introspection , 2008, OPSR.

[12]  Keith Marzullo,et al.  Principles-driven forensic analysis , 2005, NSPW '05.

[13]  B. Cheswick An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied , 1997 .

[14]  Brian D. Carrier,et al.  File System Forensic Analysis , 2005 .

[15]  Jeremy Bennett,et al.  Symantec Deception Server Experience with a Commercial Deception System , 2004, RAID.

[16]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[17]  Clifford Stoll,et al.  Stalking the wily hacker , 1988, CACM.

[18]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.