Forensics examination of volatile system data using virtual introspection

While static examination of computer systems is an important part of many digital forensics investigations, there are often important system properties present only in volatile memory that cannot be effectively recovered using static analysis techniques, such as offline hard disk acquisition and analysis. An alternative approach, involving the live analysis of target systems to uncover this volatile data, presents significant risks and challenges to forensic investigators as observation techniques are generally intrusive and can affect the system being observed. This paper provides a discussion of live digital forensics analysis through virtual introspection and presents a suite of virtual introspection tools developed for Xen (VIX tools). The VIX tools suite can be used for unobtrusive digital forensic examination of volatile system data in virtual machines, and addresses a key research area identified in the virtualization in digital forensics research agenda [22].

[1]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[2]  Yoshiyasu Takefuji,et al.  Towards a tamper-resistant kernel rootkit detector , 2007, SAC '07.

[3]  T D Sterling,et al.  Access to data. , 1971, Science.

[4]  Wenke Lee,et al.  A layered approach to simplified access control in virtualized systems , 2007, OPSR.

[5]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[6]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[7]  Mendel Rosenblum,et al.  The Reincarnation of Virtual Machines , 2004, ACM Queue.

[8]  David Lie,et al.  Manitou: a layer-below approach to fighting malware , 2006, ASID '06.

[9]  Shigeru Chiba,et al.  HyperSpector: virtual distributed monitoring environments for secure intrusion detection , 2005, VEE '05.

[10]  Joe Grand,et al.  A hardware-based memory acquisition procedure for digital investigations , 2004, Digit. Investig..

[11]  David Lie,et al.  Using VMM-based sensors to monitor honeypots , 2006, VEE '06.

[12]  Ronald C. Dodge,et al.  Virtualization and Digital Forensics: A Research and Education Agenda , 2008, J. Digit. Forensic Pract..

[13]  David Brown,et al.  The Virtualization Reality , 2006, ACM Queue.

[14]  Xuxian Jiang,et al.  Towards a VMM-based usage control framework for OS kernel integrity protection , 2007, SACMAT '07.

[15]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.