Skip to main content

Advertisement

SpringerLink
Log in

A Virtualization Based Monitoring System for Mini-intrusive Live Forensics

  • Published:
International Journal of Parallel Programming Aims and scope Submit manuscript

Abstract

Digital evidences hold great significance for governing cybercrime. Unfortunately, previous acquisition tools were troubled by either the shortage of suspending the target system’s running or the security of the acquisition tools themselves, thus the correctness and accuracy of their obtained evidences cannot be guaranteed. In this paper, we propose VAIL, a novel virtualization based monitoring system for mini-intrusive live forensics, which employs hardware assisted virtualization technique to gather integrated information from the native computer system. Meanwhile, the execution of the target system will not be interrupted and VAIL keeps immune to attacks from the target system. We have implemented a proof-of-concept prototype that has been validated with a Windows guest system. The experimental results show that VAIL can obtain comprehensive digital evidences from the target system as designed, including the CPU state, the physical memory content, and the I/O activities. And on average, VAIL only introduces 4.21 % performance overhead to the target system, which proves that VAIL is practical in real commercial environments.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

References

  1. Symantec Corporation: Norton Cybercrime Report. http://now-static.norton.com/ (2012)

  2. Yen, P.H., Yang, C.H., Ahn, T.N.: Design and implementation of a live-analysis digital forensic system. In: Proceedings of the: International Conference on Hybrid Information Technology, pp. 239–243. ICHIT ’09. ACM, New York, NY, USA (2009)

  3. Carrier, B.D.: File System Forensic Analysis. Addison-Wesley Professional, Reading, MA (2005)

    Google Scholar 

  4. Guidance Software, Inc.: EnCase. http://www.guidancesoftware.com/ (2001)

  5. AccessData Group: FTK. http://www.accessdata.com/ (2003)

  6. Buchholz, F.: Pervasive Binding of Labels to System Processes. PhD thesis, Purdue University (2005)

  7. Hay, B., Nance, K.: Forensics examination of volatile system data using virtual introspection. SIGOPS Oper. Syst. Rev. 42, 74–82 (2008)

    Article  Google Scholar 

  8. Dolan-Gavitt, B., Srivastava, A., Traynor, P., Giffin, J.T.: Robust signatures for kernel data structures. In: Al-Shaer, E., Jha, S., Keromytis, A.D. (eds.) ACM Conference on Computer and Communications Security, pp. 566–577. ACM (2009)

  9. Ando, R., Kadobayashi, Y., Shinoda, Y.: Asynchronous pseudo physical memory snapshot and forensics on paravirtualized vmm using split kernel module. In: Nam, K.H., Rhee, G., (eds.) ICISC. vol. 4817 of Lecture Notes in Computer Science, pp. 131–143. Springer (2007)

  10. Savoldi, A., Gubian, P.: Towards the virtual memory space reconstruction for windows live forensic purposes. In: IEEE Computer Society SADFE, pp. 15–22 (2008)

  11. Sutherland, I., Evans, J., Tryfonas, T., Blyth, A.: Acquiring volatile operating system data tools and techniques. SIGOPS Oper. Syst. Rev. 42, 65–73 (2008)

    Article  Google Scholar 

  12. MoonSols: Win32dd. http://moonsols.com/blog/2-blog/9-moonsols-windows-memory-toolkit (2008)

  13. GMG Systems, Inc.: KnTTools. http://gmgsystemsinc.com/knttools/ (2005)

  14. McAfee, Inc.: Fport. http://www.scanwith.com/download/Fport.htm (2005)

  15. MANDIANT Corporation: Memoryze. http://www.mandiant.com/products/free_software/memoryze/ (2008)

  16. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T.L., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: Scott, M.L., Peterson, L.L. (eds.) SOSP, pp. 164–177. ACM (2003)

  17. AMD Corporation: AMD Virtualization. www.amd.com/virtualization/ (2005)

  18. Intel Corporation: Intel Virtualization Technology. http://www.intel.com/technology/virtualization/ (2005)

  19. Krishnan, S., Snow, K.Z., Monrose, F.: Trail of bytes: efficient support for forensic analysis. In Al-Shaer, E., Keromytis, A.D., Shmatikov, V., eds.: ACM Conference on Computer and Communications Security, pp. 50–60. ACM (2010)

  20. Schatz, B.: Bodysnatcher: Towards reliable volatile memory acquisition by software. Digit. Investig. 4, 126–134 (2007)

    Article  Google Scholar 

  21. Ayers, D.: A second generation computer forensic analysis system. In: Proceedings of the 9th Annual Digital Forensic Research Workshop. DFRWS (2009)

  22. Garfinkel, S.: Digital forensics research: The next 10 years. In: Proceedings of the 10th Annual Digital Forensic Research Workshop. DFRWS (2010)

  23. Wang, Z., Wu, C., Grace, M., Jiang, X.: Isolating commodity hosted hypervisors with hyperlock. In: Proceedings of the 7th ACM European Conference on Computer Systems. EuroSys ’12, pp. 127–140. New York, NY, USA, ACM (2012)

  24. Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: ACM SIGOPS Operating Systems Review, vol. 41, pp. 335–350. ACM (2007)

  25. Shinagawa, T., Eiraku, H., Tanimoto, K., Omote, K., Hasegawa, S., Horie, T., Hirano, M., Kourai, K., Oyama, Y., Kawai, E., Kono, K., Chiba, S., Shinjo, Y., Kato, K.: Bitvisor: a thin hypervisor for enforcing i/o device security. In: Proceedings of the: ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE ’09, pp. 121–130. ACM , New York, NY, USA (2009)

  26. Rutkowska, J.: Subverting Vistatm Kernel for Fun and Profit. Black Hat Briefings (2006)

  27. Wojtczuk, R., Rutkowska, J.: Attacking SMM Memory via Intel CPU Cache Poisoning. Invisible Things Lab (2009)

  28. Wojtczuk, R., Rutkowska, J.: Attacking Intel Trusted Execution Technology. Black Hat DC (2009)

  29. Wojtczuk, R., Rutkowska, J., Tereshkin, A.: Xen 0wning Trilogy. Invisible Things Lab (2008)

  30. Invisible Things Lab: NewBluePill. http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html (2006)

  31. Intel, I.: Intel 64 and IA-32 Architectures Software Developer’s Manuals. (2007)

  32. Martignoni, L., Fattori, A., Paleari, R., Cavallaro, L.: Live and trustworthy forensic analysis of commodity production systems. In: Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection, pp. 297–316. RAID’10 (2010)

  33. Wang, Z.,Jiang, X.: Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In: IEEE Symposium on Security and Privacy (SP), pp. 380–395. IEEE (2010)

  34. Trusted Computing Group: Trusted Platform Module. http://www.trustedcomputinggroup.org/developers/trusted_platform_module (2011)

  35. Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Vmm-based hidden process detection and identification using lycosid. In: Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments. VEE ’08, pp. 91–100. New York, NY, USA, ACM (2008)

  36. Yu, M., Lin, Q., Li, B., Qi, Z., Guan, H.: Vis: Virtualization enhanced live acquisition for native system. In: Proceedings of the Second Asia-Pacific Workshop on Systems, p. 13. ACM (2011)

  37. Yu, M., Qi, Z., Lin, Q., Zhong, X., Li, B., Guan, H.: Vis: Virtualization enhanced live forensics acquisition for native system. Digit. Investig. 9, 22–33 (2012)

  38. Zhou, Q., Yu, J., Yu, F.: A trust-based defensive system model for cloud computing. In: Altman, E., Shi, W. (eds.) Network and Parallel Computing, pp. 146–159. Springer (2011)

  39. Cheng, B.C., Liao, G.T., Lin, C.K., Hsu, S.C., Hsu, P.H., Park, J.H.: Mib-itrace-cp: An improvement of icmp-based traceback efficiency in network forensic analysis. In: Park, J.J., Zomaya, A., Yeo, S.-S., Sahni, S. (eds.) Network and Parallel Computing, pp. 101–109. Springer (2012)

  40. Intel, I.: Intel 82575EB Gigabit Ethernet Controller Software Developer Manual and EEPROM Guide (2011)

  41. Murray, D., Milos, G., Hand, S.: Improving xen security through disaggregation. In: Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pp. 151–160 ACM (2008)

  42. Standard Performance Evaluation Corporation: SPEC CPU2000. http://www.spec.org/cpu2000/ (2000)

  43. Intel Corporation: Iometer. http://www.iometer.org/ (1998)

  44. Free Development software: JPerf. http://sourceforge.net/projects/jperf/ (2011)

  45. The Apache Software Foundation: The Apache web server. http://www.apache.org/ (1999)

  46. P. Rubin, D.M., Kemp, S.: Gnu dd. http://www.gnu.org/software/coreutils/ (2005)

  47. Goyal, V., Biederman, E.W., Nellitheertha, H.: Kdump, a kexec based kernel crash dumping mechanism. In: Linux Symposium (2005)

  48. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: The Internet Society NDSS (2003)

  49. Jiang, X., Wang, X.: out-of-the-box monitoring of vm-based high-interaction honeypots. In: Recent Advances in Intrusion Detection, pp. 198–218. Springer (2007)

  50. Colp, P., Matthews, C., Aiello, B., Warfield, A.: Vm Snapshots. Xen Summit, North America (2009)

    Google Scholar 

  51. VMware, Inc.: VMware Workstation. http://www.vmware.com/products/workstation/ (1999)

  52. Reina, A., Fattori, A., Pagani, F., Cavallaro, L., Bruschi, D.: When hardware meets software: A bulletproof solution to forensic memory acquisition (2012)

  53. Carrier, B.D., Grand, J.: A hardware-based memory acquisition procedure for digital investigations. Digit Investig 1, 50–60 (2004)

    Article  Google Scholar 

  54. Boileau, A.: Hit by a bus: Physical access attacks with firewire. In: Ruxcon (2006)

  55. Martin, A.: Firewire memory dump of a Windows XP computer: A forensic approach. Technical Report (2007)

  56. Rutkowska, J.: Beyond the CPU: Defeating hardware based RAM acquisition. In: Proceedings of BlackHat DC 2007 (2007)

Download references

Acknowledgments

This work is supported by the Program for PCSIRT and NCET of MOE, NSFC (No. 61073151, 61272101), the key program (No. 313035) of MOE, and International Cooperation Program (No. 11530700500, 2011DFA10850), and Singapore NRF CREATE S2E2 Program.

Author information

Authors and Affiliations

  1. Shanghai Key Laboratory of Scalable Computing and Systems, School of Software, Shanghai Jiao Tong University, Shanghai, China

    Xianming Zhong, Chengcheng Xiang, Zhengwei Qi & Haibing Guan

  2. Carnegie Mellon University, Pittsburgh, PA, USA

    Miao Yu

Authors
  1. Xianming Zhong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chengcheng Xiang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Miao Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zhengwei Qi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Haibing Guan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xianming Zhong.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Zhong, X., Xiang, C., Yu, M. et al. A Virtualization Based Monitoring System for Mini-intrusive Live Forensics. Int J Parallel Prog 43, 455–471 (2015). https://doi.org/10.1007/s10766-013-0285-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10766-013-0285-2

Keywords

Search

Navigation