Evolution of digital forensics in virtualization by using virtual machine introspection

Computer virtualization is not a new technology, it has become increasingly important because of the many advantages it offers to businesses and individuals to reduce costs, while introducing new challenges to the field of digital forensics. As virtualization continues to be adopted by more and more companies every year, malware and hacker attacks are going to have an increasing effect on virtualized systems. Therefore, the increasing growth of virtualization has created the need for a new generation of computer forensic tools and techniques to analyze these compromised systems. Because of the rapid growth of virtualization, new techniques to interact with virtual systems have been developed. Some of these techniques reduce the limitations of traditional forensics tools abilities to analyze the virtual system. Virtual Machine Introspection (VMI) is one of these techniques that have formed the basis for a number of novel approaches in the fields of cyber security and digital forensics. This paper explores how VMI improves traditional digital forensics to overcome its downfalls when used to investigate virtual machines, especially during a live analysis of the machine.

[1]  Juan Flores,et al.  Evolution of traditional digital forensics in virtualization , 2012, ACM-SE '12.

[2]  Zhi Wang,et al.  DKSM: Subverting Virtual Machine Introspection for Fun and Profit , 2010, 2010 29th IEEE Symposium on Reliable Distributed Systems.

[3]  Karen A. Forcht,et al.  LEGAL METHODS OF USING COMPUTER FORENSICS TECHNIQUES FOR COMPUTER CRIME ANALYSIS AND INVESTIGATION , 2004 .

[4]  Brendan Dolan-Gavitt,et al.  Leveraging Forensic Tools for Virtual Machine Introspection , 2011 .

[5]  Matt Bishop,et al.  Investigating the Implications of Virtual Machine Introspection for Digital Forensics , 2009, 2009 International Conference on Availability, Reliability and Security.

[6]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[7]  Bill Nelson,et al.  Guide to Computer Forensics and Investigations , 2003 .

[8]  Vishakha Gupta,et al.  High-Performance Hypervisor Architectures: Virtualization in HPC Systems , 2007 .

[9]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[10]  Warren G. Kruse,et al.  Computer Forensics: Incident Response Essentials , 2001 .

[11]  Ewa Huebner,et al.  Computer Forensic Analysis in a Virtual Environment , 2007, Int. J. Digit. EVid..

[12]  Abhinav Srivastava,et al.  Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections , 2008, RAID.

[13]  David Lie,et al.  Hypervisor Support for Identifying Covertly Executing Binaries , 2008, USENIX Security Symposium.

[14]  Samuel T. King,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005, SOSP '05.

[15]  Claudia Eckert,et al.  A formal model for virtual machine introspection , 2009, VMSec '09.

[16]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[17]  Minglu Li,et al.  An In-VM Measuring Framework for Increasing Virtual Machine Security in Clouds , 2010, IEEE Security & Privacy.