Abstract
Current forensic investigations have to process a large amount of collected data in a limited time. Moreover, we need to ensure collected data are not compromised before seizing suspects’ computers. For protecting evidences on important computers, this paper proposes a lightweight hypervisor that supports proactive collection and preservation of I/O logs. The proposed WaybackVisor automatically transfers all I/O logs of ATA drives to a Hadoop cluster. Our experiment showed the prototype implementation of WaybackVisor achieves write throughput of 79.7 MB/s. This paper also demonstrates timeline analysis functions for the I/O logs on the Hadoop cluster. Finally, we compared the proposed WaybackVisor with similar lightweight hypervisors that support live forensics.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Dean, J., Ghemawat, S.: MapReduce: simplified data processing on large clusters. Commun. ACM 51(1), 107–113 (2008)
Digital Corpora: Govdocs1. http://digitalcorpora.org/corpora/govdocs. Accessed 1 Mar 2017
Dunkels, A.: Design and implementation of the lwIP TCP/IP stack. Swed. Inst. Comput. Sci. 2, 77 (2001)
Garfinkel, S., Farrell, P., Roussev, V., Dinolt, G.: Bringing science to digital forensics with standardized forensic corpora. Digit. Invest. 6, S2–S11 (2009)
Garfinkel, S.L.: Digital forensics research: the next 10 years. Digit. Invest. 7, S64–S73 (2010)
Garfinkel, T., Rosenblum, M., et al.: A virtual machine introspection based architecture for intrusion detection. In: NDSS, vol. 3, pp. 191–206 (2003)
Harris, R.: Arriving at an anti-forensics consensus: examining how to define and control the anti-forensics problem. Digit. Invest. 3, 44–49 (2006)
Hirano, M., Ogawa, H.: A log-structured block preservation and restoration system for proactive forensic data collection in the cloud. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 355–364. IEEE (2016)
Hirano, M., Takase, H., Yoshida, K.: Evaluation of a sector-hash based rapid file detection method for monitoring infrastructure-as-a-service cloud platforms. In: 2015 10th International Conference on Availability, Reliability and Security (ARES), pp. 584–591. IEEE (2015)
Kent, K., Chevalier, S., Grance, T., Dang, H.: Guide to integrating forensic techniques into incident response. NIST Special Publication 10, 800–86 (2006)
Maene, P., Gotzfried, J., de Clercq, R., Muller, T., Freiling, F., Verbauwhede, I.: Hardware-based trusted computing architectures for isolation and attestation. IEEE Trans. Comput. PP(99), 1 (2017). https://doi.org/10.1109/TC.2017.2647955
Martignoni, L., Fattori, A., Paleari, R., Cavallaro, L.: Live and trustworthy forensic analysis of commodity production systems. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 297–316. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_16
Mills, D.L.: RFC4330: simple network time protocol (SNTP) version 4 for IPV4, IPV6 and OSI (2006)
Palmer, G., et al.: A road map for digital forensic research. In: First Digital Forensic Research Workshop, Utica, New York, pp. 27–30 (2001)
Qi, Z., Xiang, C., Ma, R., Li, J., Guan, H., Wei, D.S.L.: ForenVisor: a tool for acquiring and preserving reliable data in cloud live forensics. IEEE Trans. Cloud Comput. 5(3), 443–456 (2017). https://doi.org/10.1109/TCC.2016.2535295
Richard III, G.G., Roussev, V.: Next-generation digital forensics. Commun. ACM 49(2), 76–80 (2006)
Roussev, V., Richard III, G.G.: Breaking the performance wall: The case for distributed digital forensics. In: Proceedings of the 2004 Digital Forensics Research Workshop, vol. 94 (2004)
Shinagawa, T., Eiraku, H., Tanimoto, K., Omote, K., Hasegawa, S., Horie, T., Hirano, M., Kourai, K., Oyama, Y., Kawai, E., et al.: BitVisor: a thin hypervisor for enforcing I/O device security. In: Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pp. 121–130. ACM (2009)
Shvachko, K., Kuang, H., Radia, S., Chansler, R.: The hadoop distributed file system. In: 2010 IEEE 26th Symposium on Mass Storage Systems and Technologies (MSST), pp. 1–10. IEEE (2010)
The Apache Software Foundation: WebHDFS REST API. http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/WebHDFS.html. Accessed 15 Aug 2017
Uhlig, R., Neiger, G., Rodgers, D., Santoni, A.L., Martins, F.C., Anderson, A.V., Bennett, S.M., Kagi, A., Leung, F.H., Smith, L.: Intel virtualization technology. Computer 38(5), 48–56 (2005)
Acknowledgments
The authors thank Dr. Suguru Yamaguchi for his longstanding support for this research project. The authors thank developers and contributors of BitVisor. The authors would like to thank the anonymous reviewers for their valuable comments and suggestions. This work was supported by JSPS KAKENHI Grant Number JP26330168 and JP17K00198.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Hirano, M., Tsuzuki, T., Ikeda, S., Taka, N., Fujiwara, K., Kobayashi, R. (2017). WaybackVisor: Hypervisor-Based Scalable Live Forensic Architecture for Timeline Analysis. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, KK. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2017. Lecture Notes in Computer Science(), vol 10658. Springer, Cham. https://doi.org/10.1007/978-3-319-72395-2_21
Download citation
DOI: https://doi.org/10.1007/978-3-319-72395-2_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-72394-5
Online ISBN: 978-3-319-72395-2
eBook Packages: Computer ScienceComputer Science (R0)