ForenVisor: A Tool for Acquiring and Preserving Reliable Data in Cloud Live Forensics

Live forensics is an important technique in cloud security but is facing the challenge of reliability. Most of the live forensic tools in cloud computing run either in the target Operating System (OS), or as an extra hypervisor. The tools in the target OS are not reliable, since they might be deceived by the compromised OS. Furthermore, traditional general purpose hypervisors are vulnerable due to their huge code size. However, some modules of a general purpose hypervisor, such as device drivers, are indeed unnecessary for forensics. In this paper, we propose a special purpose hypervisor, called ForenVisor, which is dedicated to reliable live forensics. The reliability is improved in three ways: reducing Trusted Computing Base (TCB) size by leveraging a lightweight architecture, collecting evidence directly from the hardware, and protecting the evidence and other sensitive files with Filesafe module. We have implemented a proof-of-concept prototype on the Windows platform, which can acquire the process data, raw memory, and I/O data, such as keystrokes and network traffic. Furthermore, we evaluate ForenVisor in terms of code size, functionality, and performance. The experiment results show that ForenVisor has a relatively small TCB size of about 13 KLOC, and only causes less than 10 percent performance reduction to the target system. In particular, our experiments verify that ForenVisor can guarantee that the protected files remain untampered, even when the guest OS is compromised by viruses, such as ‘ILOVEYOU’ and Worm.WhBoy. Also, our system can be loaded as a hypervisor without needing to pause the target OS. This allows it to not only avoid destructing but also to gather the live evidence of the target OS. We also posted the source code of ForenVisor on Github.

[1]  Paul Lin,et al.  Towards a Formalization of Digital Forensics , 2009, IFIP Int. Conf. Digital Forensics.

[2]  Eugene H. Spafford,et al.  An Event-Based Digital Forensic Investigation Framework , 2004 .

[3]  Miao Yu,et al.  Enhanced Privilege Separation for Commodity Software on Virtualized Platform , 2010, 2010 IEEE 16th International Conference on Parallel and Distributed Systems.

[4]  Samee Ullah Khan,et al.  Modeling and Analysis of State-of-the-art VM-based Cloud Management Platforms , 2013, IEEE Transactions on Cloud Computing.

[5]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[6]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[7]  Shigeru Chiba,et al.  HyperSpector: virtual distributed monitoring environments for secure intrusion detection , 2005, VEE '05.

[8]  Kim-Kwang Raymond Choo,et al.  Cloud Forensic Technical Challenges and Solutions: A Snapshot , 2014, IEEE Cloud Computing.

[9]  Kim-Kwang Raymond Choo,et al.  Cloud Storage Forensics , 2013, Contemporary Digital Forensic Investigations of Cloud and Mobile Applications.

[10]  William A. Arbaugh,et al.  FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory , 2006, Digit. Investig..

[11]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[12]  Brian D. Noble,et al.  When Virtual Is Better Than Real , 2001 .

[13]  Brian Hay,et al.  Forensics examination of volatile system data using virtual introspection , 2008, OPSR.

[14]  Udo Steinberg,et al.  NOVA: a microhypervisor-based secure virtualization architecture , 2010, EuroSys '10.

[15]  Rodney McKemmish,et al.  What is forensic computing , 1999 .

[16]  Muttukrishnan Rajarajan,et al.  A survey of intrusion detection techniques in Cloud , 2013, J. Netw. Comput. Appl..

[17]  Alan T. Sherman,et al.  Design and Implementation of FROST - Digital Forensic Tools for the OpenStack Cloud Computing Platform , 2016 .

[18]  Andrea C. Arpaci-Dusseau,et al.  VMM-based hidden process detection and identification using Lycosid , 2008, VEE '08.

[19]  Miao Yu,et al.  A Virtualization Based Monitoring System for Mini-intrusive Live Forensics , 2013, International Journal of Parallel Programming.

[20]  Gil Neiger,et al.  Intel virtualization technology , 2005, Computer.

[21]  Greg Hoglund,et al.  Rootkits: Subverting the Windows Kernel , 2005 .

[22]  Noureddine Boudriga,et al.  A System for Formal Digital Forensic Investigation Aware of Anti-Forensic Attacks , 2012, IEEE Transactions on Information Forensics and Security.

[23]  Xuxian Jiang,et al.  "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots , 2007, RAID.

[24]  Carl A. Waldspurger,et al.  Memory resource management in VMware ESX server , 2002, OSDI '02.

[25]  Kazuhiko Kato,et al.  Hypervisor-based prevention of persistent rootkits , 2010, SAC '10.

[26]  Kevin Borders,et al.  Towards protecting sensitive files in a compromised system , 2005, Third IEEE International Security in Storage Workshop (SISW'05).

[27]  Kim-Kwang Raymond Choo,et al.  An integrated conceptual digital forensic framework for cloud computing , 2012, Digit. Investig..

[28]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[29]  Shigeru Chiba,et al.  BitVisor: a thin hypervisor for enforcing i/o device security , 2009, VEE '09.

[30]  James Newsome,et al.  Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework , 2013, 2013 IEEE Symposium on Security and Privacy.

[31]  Zhi Wang,et al.  Comprehensive and Efficient Protection of Kernel Control Data , 2011, IEEE Transactions on Information Forensics and Security.

[32]  Samuel T. King,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005, SOSP '05.

[33]  Rajkumar Buyya,et al.  Article in Press Future Generation Computer Systems ( ) – Future Generation Computer Systems Cloud Computing and Emerging It Platforms: Vision, Hype, and Reality for Delivering Computing as the 5th Utility , 2022 .

[34]  Rami Rosen,et al.  Linux containers and the future cloud , 2014 .

[35]  Liviu Iftode,et al.  Monitoring Integrity Using Limited Local Memory , 2013, IEEE Transactions on Information Forensics and Security.

[36]  Lorenzo Martignoni,et al.  Live and Trustworthy Forensic Analysis of Commodity Production Systems , 2010, RAID.

[37]  Fabian Monrose,et al.  Trail of bytes: efficient support for forensic analysis , 2010, CCS '10.

[38]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[39]  David L. Black,et al.  Microkernel operating system architecture and Mach , 1991 .

[40]  Abhinav Srivastava,et al.  Robust signatures for kernel data structures , 2009, CCS.

[41]  Kim-Kwang Raymond Choo,et al.  Distributed filesystem forensics: XtreemFS as a case study , 2014, Digit. Investig..

[42]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[43]  Miao Yu,et al.  Vis: virtualization enhanced live acquisition for native system , 2011, APSys.

[44]  Zhi Wang,et al.  HyperSentry: enabling stealthy in-context measurement of hypervisor integrity , 2010, CCS '10.

[45]  Kim-Kwang Raymond Choo,et al.  Google Drive: Forensic analysis of data remnants , 2014, J. Netw. Comput. Appl..