Vis: Virtualization enhanced live forensics acquisition for native system

https://doi.org/10.1016/j.diin.2012.04.002Get rights and content

Abstract

Current live acquisition systems can obtain memory content of a running system, but they either fail to provide accurate native system physical memory acquisition at the given time point or require suspending the machine and altering the execution environment drastically. To address this issue, we propose Vis, a lightweight virtualization approach to provide accurate retrieval of physical memory content without disturbing the execution of the target native system. Our experimental results indicate that Vis is capable of reliably retrieving an accurate system image. Moreover, Vis accomplishes live acquisition in around 100 s, where previous remote live acquisition tools take hours and static acquisition takes days. On average, the performance reduction for the target system is 9.62%.

Introduction

After forensic scope and media are determined, a typical computer forensics scenario has three steps: acquisition, analyzing and reporting (Yen et al., 2009; Carrier, 2002). In the first two stages, there are two key challenges: how to obtain the complete system state and how to analyze the retrieved image effectively (Peisert et al., 2008). Not getting an image of memory content leads to an incomplete or incorrect investigation result, even with an excellent analyzing technology.

Going beyond static acquisition strategies, live acquisition extends the information gathering range of a forensics examiner, allowing volatile data to be acquired. Consider criminal evidence being stored on a permanent I/O device only (Carrier, 2005); most static acquisition tools, like Encase (Giudeware Software Inc, 2001) and FTK (AccessData Group, 2003), clone the disk offline to accurately obtain the evidence. Data which exist only in volatile memory without disk correspondence are totally beyond the acquisition scope of static acquisition tools. To address such issues, the requirement of live acquisition becomes essential. Live acquisition tools can extract the volatile data in the memory of the target system without blocking it. These data include process information (Buchhloz, 2005), process list (Hay and Nance, 2008), kernel objects (Dolan-Gavitt et al., 2009) and raw memory content (Ando et al., 2007; Savoldi and Gubian, 2008), which may be leveraged to record and reproduce the criminal scene.

Based on their architecture, previous software live acquisition solutions can be divided into two categories. The first is Virtualization Introspection, which means the target system is wrapped in a Virtual Machine (VM) while the acquisition module exists in a hypervisor like Xen (Barham et al., 2003). VIX tools (Hay and Nance, 2008), Ruo's work (Ando et al., 2007), Srinivas's work (Krishnan et al., 2010) and BodySnatcher (Schatz, 2007) all belong to this type. The second type is Non-Virtualization Introspection. It is designed to obtain indicated volatile system state with a minimal environment impact. Iain et al. (Sutherland et al., 2008) list several practical tools for different scenarios, including Win32dd (MoonSols, 2008), KnTTools (GMG Systems Inc, 2005) and Fport (McAfee Inc, 2005). Memoryze (Mandiant Corporation, 2008) is another popular user process forensic tool of this type.

While it can unearth a tremendous volume of volatile data, live acquisition also faces significant challenges and risks. The first challenge is that previous virtualization-based live acquisition methods alter the system environment significantly (Barham et al., 2003; Schatz, 2007). The reason is that many previous approaches required loading a hypervisor prior to the launching of the operating system (OS) (Ando et al., 2007; Hay and Nance, 2008; Krishnan et al., 2010). When employing this method on a non-virtualized host, the forensic examiners change the system environment. In the extreme case, rebooting or even reinstalling the whole system is required, thus causing a great loss of information from volatile memory.

The second challenge arises from the fact that the system is not static (Adelstein, 2006). Contents in physical memory change with the running processes, making in-OS live acquisition methods unable to guarantee the accuracy of the retrieved physical memory content at the given time point without suspending the machine. However, ideal suspending functionality would require hardware support (Hay et al., 2009). Also, it is difficult to dump physical memory accurately by manipulating the page tables, because the possible existence of hidden processes makes it tough to actively trace all working page tables. As a result, practical in-OS live acquisition tools, like Win32dd and Memoryze, never consider complete result accuracy as one of their design goals.

This paper builds on our prior acquisition system, which is named Vis (Miao et al., 2011). Our previous work presents the design and implementation of Vis, proves its acquisition reliability and evaluates its performance in live acquisition scenarios. In this paper, we try to balance effectiveness and applicability by introducing a new idea about Synchronized Writes and Unsynchronized Writes. The experimental results show that Vis dumps polluted content with inappropriate buffer sizes. Also, we propose optimization techniques to minimize Vis's performance impact on the target OS and give the corresponding evaluation result. In addition, more related work and more detailed evaluation of Win32dd are included.

The evaluation results show that even with a high pollution rate during the acquisition period, Vis can still ensure accuracy while preserving the target system execution. Vis is able to retrieve an accurate system image in 105.86 s comparing with a range of 17–76 s for Win32dd, and 18 min for Hypersleuth on a 1 Gbps network. Meanwhile, it only imposes a 9.62% performance overhead on existing applications. These results prove that Vis has practical value in real world applications.

The rest of the paper is organized as follows. Section 2 presents Vis's design model and assumptions. Section 3 provides the implementation details and related discussions, while Section 4 evaluates Vis through experiments. We survey related work in Section 5, then discuss future work and conclude in Section 6.

Section snippets

Design

We propose two key techniques termed Late-Virtualization and Virtual-Snapshot, to fulfill the design requirements of Vis.

Implementation

We have implemented a prototype of Vis and applied it to live acquisition from a Windows 7 x86 system. Currently, Vis leverages Intel VT technology (Intel, 2007) to provide the necessary hardware virtualization functionality. The Late-Virtualization is implemented by directly using the virtual machine extensions to build the underlying hypervisor. For Virtual-Snapshot, we employ Intel's Extended Page Table (EPT) technology (Intel, 2007) (We use EPT to mean Extended Page Table instead of the

Evaluation

The current Vis implementation realizes its design goals described in earlier sections. All experiments are conducted on a Dell Optiplex 980 MT host with a 3.2 GHz Intel i5-650 processor, 2 GB RAM and a gigabit ethernet card. We enable the uniprocessor setting in Windows 7 x86 in our experiments. In this section, we first analytically examine the accurate live acquisition guarantees provided by Vis. Then we present its overall performance as well as the performance impact on the target system.

Related work

Live acquisition has been studied for several years. Previous live acquisition approaches can be divided into two categories: Software Acquisition and Hardware Acquisition. As introduced in Section 1, in the field of software acquisition, prior approaches include Virtualization Introspection and In-OS State Fetching. Leveraging Xen to construct an isolated introspection environment, VIX tools (Hay and Nance, 2008) and Srinivas's work (Krishnan et al., 2010) are examples of Virtualization

Future work and conclusion

Though Vis is already practical in real world scenarios, some meaningful extensions are still needed to strengthen its capability. The first extension is attestation of the acquisition result in Vis. Attesting the obtained result ensures its integrity and this is required in the reporting step. The second extension is permitting results to be output to non-local disk, for example, removable media or remote systems. With this feature, it is possible to include accurate dumping of disk contents

References (47)

  • B.D. Carrier et al.

    A hardware-based memory acquisition procedure for digital investigations

    Digital Investigation

    (2004)
  • B. Schatz

    Bodysnatcher: towards reliable volatile memory acquisition by software

    Digital Investigation

    (2007)
  • AccessData Group

    FTK

    (2003)
  • K. Adams et al.

    A comparison of software and hardware techniques for x86 virtualization

  • F. Adelstein

    Live forensics: diagnosing your system without killing it first

    Communications of the ACM

    (February 2006)
  • R. Ando et al.

    Asynchronous pseudo physical memory snapshot and forensics on paravirtualized vmm using split kernel module

  • P. Barham et al.

    Xen and the art of virtualization

  • M. Ben-Yehuda et al.

    The turtles project: design and implementation of nested virtualization

  • A. Boileau

    Hit by a bus: physical access attacks with firewire

  • Buchholz, F.. Pervasive binding of labels to system processes. PhD thesis, Purdue University;...
  • B. Carrier

    Defining digital forensic examination and analysis tools

    International Journal of Digital Evidence

    (2002)
  • B. Carrier

    File system forensic analysis

    (2005)
  • B.D. Carrier

    Risks of live digital forensic analysis

    Communications of the ACM

    (2006)
  • X. Chen et al.

    Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems

  • K.B. Chris Drake

    PANIC! UNIX system crash dump analysis handbook

    (1995)
  • P. Colp et al.

    Vm snapshots

    (Feb 2009)
  • B. Dolan-Gavitt et al.

    Robust signatures for kernel data structures

  • T. Garfinkel et al.

    A virtual machine introspection based architecture for intrusion detection

  • A. Gavrilovska et al.

    High performance hypervisor architectures: virtualization in hpc systems

  • GMG Systems, Inc

    KnTTools

    (2005)
  • V. Goyal et al.

    Kdump, a kexec based kernel crash dumping mechanism

  • Guidance Software, Inc

    EnCase

    (2001)
  • B. Hay et al.

    Forensics examination of volatile system data using virtual introspection

    SIGOPS Operating. Systems Review

    (April 2008)
  • Cited by (0)

    View full text