Abstract
Memory forensics is the branch of computer forensics that aims at extracting artifacts from memory snapshots taken from a running system. Even though it is a relatively recent field, it is rapidly growing and it is attracting considerable attention from both industrial and academic researchers.
In this paper, we present a set of techniques to extend the field of memory forensics toward the analysis of hypervisors and virtual machines. With the increasing adoption of virtualization techniques (both as part of the cloud and in normal desktop environments), we believe that memory forensics will soon play a very important role in many investigations that involve virtual environments.
Our approach, implemented in an open source tool as an extension of the Volatility framework, is designed to detect both the existence and the characteristics of any hypervisor that uses the Intel VT-x technology. It also supports the analysis of nested virtualization and it is able to infer the hierarchy of multiple hypervisors and virtual machines. Finally, by exploiting the techniques presented in this paper, our tool can reconstruct the address space of a virtual machine in order to transparently support any existing Volatility plugin - allowing analysts to reuse their code for the analysis of virtual environments.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Amd’s market share drops, http://www.cpu-wars.com/2012/11/amds-market-share-drops-below-17-due-to.html
Documentation/dma-mapping.txt
Elcomsoft forensic disk decryptor, http://www.elcomsoft.com/edff.html
Inception memory acquisition tool, http://www.breaknenter.org/projects/inception/
Nehalem architecture, http://www.intel.com/pressroom/archive/reference/whitepaper_Nehalem.pdf
Volatility framework: Volatile memory artifact extraction utility framework, https://www.volatilesystems.com/default/volatility
Agesen, O., Mattson, J., Rugina, R., Sheldon, J.: Software techniques for avoiding hardware virtualization exits. In: Proceedings of the 2012 USENIX Conference on Annual Technical Conference, USENIX ATC 2012, pp. 35–35. USENIX Association, Berkeley (2012)
Arasteh, A.R., Debbabi, M.: Forensic memory analysis: From stack and code to execution history. Digit. Investig. 4, 114–125 (2007)
Ben-Yehuda, M., Day, M.D., Dubitzky, Z., Factor, M., Har’El, N., Gordon, A., Liguori, A., Wasserman, O., Yassour, B.-A.: The turtles project: design and implementation of nested virtualization. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI 2010, pp. 1–6. USENIX Association, Berkeley (2010)
Betz, C.: Memparser, http://www.dfrws.org/2005/challenge/memparser.shtml
Cozzie, A., Stratton, F., Xue, H., King, S.T.: Digging for data structures. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI 2008, pp. 255–266. USENIX Association, Berkeley (2008)
Desnos, A., Filiol, E., Lefou, I.: Detecting (and creating!) a hvm rootkit (aka bluepill-like). Journal in Computer Virology 7(1), 23–49 (2011)
Dolan-Gavitt, B.: The vad tree: A process-eye view of physical memory. Digit. Investig. 4, 62–64 (2007)
Dolan-Gavitt, B., Srivastava, A., Traynor, P., Giffin, J.: Robust signatures for kernel data structures. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 566–577. ACM, New York (2009)
Fattori, A., Paleari, R., Martignoni, L., Monga, M.: Dynamic and transparent analysis of commodity production systems. In: Proceedings of the 25th International Conference on Automated Software Engineering (ASE), pp. 417–426 (September 2010)
Goldberg, R.P.: Architecture of virtual machines. In: Proceedings of the workshop on virtual computer systems, pp. 74–112. ACM, New York (1973)
Alex Halderman, J., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009)
Intel. Intel® 64 and IA-32 Architectures Software Developer’s Manual - Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B and 3C (August 2012)
King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: Subvirt: Implementing malware with virtual machines. In: IEEE Symposium on Security and Privacy, pp. 314–327 (2006)
Liang, B., You, W., Shi, W., Liang, Z.: Detecting stealthy malware with inter-structure and imported signatures. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 217–227. ACM, New York (2011)
Lin, Z., Rhee, J., Zhang, X., Xu, D., Jiang, X.: Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures. In: NDSS (2011)
Martignoni, L., Fattori, A., Paleari, R., Cavallaro, L.: Live and Trustworthy Forensic Analysis of Commodity Production Systems. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 297–316. Springer, Heidelberg (2010)
Stewin, P., Bystrov, I.: Understanding DMA malware. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 21–41. Springer, Heidelberg (2013)
Popek, G.J., Goldberg, R.P.: Formal requirements for virtualizable third generation architectures. Commun. ACM 17(7), 412–421 (1974)
Reina, A., Fattori, A., Pagani, F., Cavallaro, L., Bruschi, D.: When Hardware Meets Software: a Bulletproof Solution to Forensic Memory Acquisition. In: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC), Orlando, Florida (December 2012)
Rutkowska, J.: Subverting Vista Kernel for Fun and Profit. Black Hat USA (August 2006)
Rutkowska, J.: Beyond The CPU: Defeating Hardware Based RAM acquisition. Black Hat USA (2007)
Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: Proceedings of Twenty-first ACM SIGOPS Symposium on Operating Systems Principles, SOSP 2007, pp. 335–350. ACM, New York (2007)
Shinagawa, T., Eiraku, H., Tanimoto, K., Omote, K., Hasegawa, S., Horie, T., Hirano, M., Kourai, K., Oyama, Y., Kawai, E., Kono, K., Chiba, S., Shinjo, Y., Kato, K.: Bitvisor: a thin hypervisor for enforcing i/o device security. In: Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE 2009, pp. 121–130. ACM, New York (2009)
Smith, J., Nair, R.: Virtual Machines: Versatile Platforms for Systems and Processes (The Morgan Kaufmann Series in Computer Architecture and Design). Morgan Kaufmann Publishers Inc., San Francisco (2005)
Zhang, X., Dong, E.: Nested Virtualization Update from Intel. Xen Summit (2012)
Lin, Z., Rhee, J., Wu, C., Zhang, X., Xu, D.: Discovering semantic data of interest from un-mappable memory with confidence. In: Proceedings of the 19th Network and Distributed System Security Symposium, NDSS 2012 (2012)
Dai Zovi, D.A.: Hardware Virtualization Rootkits. Black Hat USA (August 2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Graziano, M., Lanzi, A., Balzarotti, D. (2013). Hypervisor Memory Forensics. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-41284-4_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41283-7
Online ISBN: 978-3-642-41284-4
eBook Packages: Computer ScienceComputer Science (R0)