Evolution of traditional digital forensics in virtualization

Computer virtualization is not new; however, it has become increasingly important because of the many advantages it offers businesses and individuals to reduce costs. A company can reduce maintenance, hardware, and energy costs by running virtualized servers on a single physical machine. Although virtualization offers these advantages, it introduces new challenges to current computer forensic techniques as well as computer system defense tools. As this technology continues to be adopted by more and more companies every year, malware and hacker attacks are potentially going to affect virtualized systems as they have been affecting physical systems in the past. Therefore, the increasing growth of virtualization has created the need for a new generation of computer system defenses as well as computer forensic techniques to effectively defend these systems before or after they have been attacked. Because of the nature of how virtualization operates, new techniques to interact with these systems have become available. These techniques allow us to increase the effectiveness of current forensic and system defense tools to create new tools to defend or analyze virtualized systems. Virtual Machine Introspection (VMI) is one of these techniques that have formed the basis of a number of novel approaches in the field of Digital Forensics and Cybersecurity. In this paper, we present what VMI has offered to Digital Forensics and the new challenges it brings. Likewise, we discuss why traditional Digital Forensic techniques are not reliable to analyze virtual machines once they have been attacked.

[1]  Brendan Dolan-Gavitt,et al.  Leveraging Forensic Tools for Virtual Machine Introspection , 2011 .

[2]  Li Shen,et al.  A Novel Hardware Assisted Full Virtualization Technique , 2008, 2008 The 9th International Conference for Young Computer Scientists.

[3]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[4]  П. Довгалюк,et al.  Два способа организации механизма полносистемного детерминированного воспроизведения в симуляторе QEMU , 2012 .

[5]  Warren G. Kruse,et al.  Computer Forensics: Incident Response Essentials , 2001 .

[6]  Claudia Eckert,et al.  A formal model for virtual machine introspection , 2009, VMSec '09.

[7]  Minglu Li,et al.  An In-VM Measuring Framework for Increasing Virtual Machine Security in Clouds , 2010, IEEE Security & Privacy.

[8]  Bill Nelson,et al.  Guide to Computer Forensics and Investigations, Second Edition , 2005 .

[9]  Matt Bishop,et al.  Investigating the Implications of Virtual Machine Introspection for Digital Forensics , 2009, 2009 International Conference on Availability, Reliability and Security.

[10]  Hong Ong,et al.  System-Level Virtualization for High Performance Computing , 2008, 16th Euromicro Conference on Parallel, Distributed and Network-Based Processing (PDP 2008).

[11]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[12]  Karen A. Forcht,et al.  LEGAL METHODS OF USING COMPUTER FORENSICS TECHNIQUES FOR COMPUTER CRIME ANALYSIS AND INVESTIGATION , 2004 .

[13]  Zhi Wang,et al.  DKSM: Subverting Virtual Machine Introspection for Fun and Profit , 2010, 2010 29th IEEE Symposium on Reliable Distributed Systems.

[14]  Ewa Huebner,et al.  Computer Forensic Analysis in a Virtual Environment , 2007, Int. J. Digit. EVid..

[15]  Samuel T. King,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005, SOSP '05.

[16]  Vishakha Gupta,et al.  High-Performance Hypervisor Architectures: Virtualization in HPC Systems , 2007 .

[17]  Abhinav Srivastava,et al.  Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections , 2008, RAID.

[18]  Brian D. Noble,et al.  When Virtual Is Better Than Real , 2001 .

[19]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[20]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[21]  Bill Nelson,et al.  Guide to Computer Forensics and Investigations , 2003 .