A Virtualization Based Monitoring System for Mini-intrusive Live Forensics

Digital evidences hold great significance for governing cybercrime. Unfortunately, previous acquisition tools were troubled by either the shortage of suspending the target system’s running or the security of the acquisition tools themselves, thus the correctness and accuracy of their obtained evidences cannot be guaranteed. In this paper, we propose VAIL, a novel virtualization based monitoring system for mini-intrusive live forensics, which employs hardware assisted virtualization technique to gather integrated information from the native computer system. Meanwhile, the execution of the target system will not be interrupted and VAIL keeps immune to attacks from the target system. We have implemented a proof-of-concept prototype that has been validated with a Windows guest system. The experimental results show that VAIL can obtain comprehensive digital evidences from the target system as designed, including the CPU state, the physical memory content, and the I/O activities. And on average, VAIL only introduces 4.21 % performance overhead to the target system, which proves that VAIL is practical in real commercial environments.

[1]  张静言 送你一台计算机—VMware Workstation , 2001 .

[2]  Chung-Huang Yang,et al.  Design and implementation of a live-analysis digital forensic system , 2009, ICHIT '09.

[3]  Brian Hay,et al.  Forensics examination of volatile system data using virtual introspection , 2008, OPSR.

[4]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[5]  Abhinav Srivastava,et al.  Robust signatures for kernel data structures , 2009, CCS.

[6]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[7]  Lorenzo Martignoni,et al.  Live and Trustworthy Forensic Analysis of Commodity Production Systems , 2010, RAID.

[8]  Joe Grand,et al.  A hardware-based memory acquisition procedure for digital investigations , 2004, Digit. Investig..

[9]  Daniel Ayers,et al.  A second generation computer forensic analysis system , 2009, Digit. Investig..

[10]  赵阳,et al.  在Apache Web Server上实现用户认证 , 2002 .

[11]  Eugene H. Spafford,et al.  Pervasive binding of labels to system processes , 2005 .

[12]  Xuxian Jiang,et al.  "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots , 2007, RAID.

[13]  Qian Zhou,et al.  A Trust-Based Defensive System Model for Cloud Computing , 2011, NPC.

[14]  Brian D. Carrier,et al.  File System Forensic Analysis , 2005 .

[15]  Aristide Fattori,et al.  When hardware meets software: a bulletproof solution to forensic memory acquisition , 2012, ACSAC '12.

[16]  Guo-Tan Liao,et al.  MIB-ITrace-CP: An Improvement of ICMP-Based Traceback Efficiency in Network Forensic Analysis , 2012, NPC.

[17]  Bradley L. Schatz,et al.  BodySnatcher: Towards reliable volatile memory acquisition by software , 2007, Digit. Investig..

[18]  G. L. North America , 2022, Nature.

[19]  Simson L. Garfinkel,et al.  Digital forensics research: The next 10 years , 2010, Digit. Investig..

[20]  Qi Zhang,et al.  Trusted Platform Module 2.0 Library , 2013 .

[21]  Gil Neiger,et al.  Intel ® Virtualization Technology for Directed I/O , 2006 .

[22]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[23]  Youki Kadobayashi,et al.  Asynchronous Pseudo Physical Memory Snapshot and Forensics on Paravirtualized VMM Using Split Kernel Module , 2007, ICISC.

[24]  Andrea C. Arpaci-Dusseau,et al.  VMM-based hidden process detection and identification using Lycosid , 2008, VEE '08.

[25]  Miao Yu,et al.  Vis: virtualization enhanced live acquisition for native system , 2011, APSys.

[26]  Zhi Wang,et al.  Isolating commodity hosted hypervisors with HyperLock , 2012, EuroSys '12.

[27]  Miao Yu,et al.  Vis: Virtualization enhanced live forensics acquisition for native system , 2012, Digit. Investig..

[28]  Steven Hand,et al.  Improving Xen security through disaggregation , 2008, VEE '08.

[29]  Vivek Goyal Kdump, A Kexec-based Kernel Crash Dumping Mechanism , 2005 .

[30]  Fabian Monrose,et al.  Trail of bytes: efficient support for forensic analysis , 2010, CCS '10.

[31]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[32]  Paolo Gubian,et al.  Towards the Virtual Memory Space Reconstruction for Windows Live Forensic Purposes , 2008, 2008 Third International Workshop on Systematic Approaches to Digital Forensic Engineering.

[33]  Shigeru Chiba,et al.  BitVisor: a thin hypervisor for enforcing i/o device security , 2009, VEE '09.

[34]  Theodore Tryfonas,et al.  Acquiring volatile operating system data tools and techniques , 2008, OPSR.