Vis: Virtualization enhanced live forensics acquisition for native system
Introduction
After forensic scope and media are determined, a typical computer forensics scenario has three steps: acquisition, analyzing and reporting (Yen et al., 2009; Carrier, 2002). In the first two stages, there are two key challenges: how to obtain the complete system state and how to analyze the retrieved image effectively (Peisert et al., 2008). Not getting an image of memory content leads to an incomplete or incorrect investigation result, even with an excellent analyzing technology.
Going beyond static acquisition strategies, live acquisition extends the information gathering range of a forensics examiner, allowing volatile data to be acquired. Consider criminal evidence being stored on a permanent I/O device only (Carrier, 2005); most static acquisition tools, like Encase (Giudeware Software Inc, 2001) and FTK (AccessData Group, 2003), clone the disk offline to accurately obtain the evidence. Data which exist only in volatile memory without disk correspondence are totally beyond the acquisition scope of static acquisition tools. To address such issues, the requirement of live acquisition becomes essential. Live acquisition tools can extract the volatile data in the memory of the target system without blocking it. These data include process information (Buchhloz, 2005), process list (Hay and Nance, 2008), kernel objects (Dolan-Gavitt et al., 2009) and raw memory content (Ando et al., 2007; Savoldi and Gubian, 2008), which may be leveraged to record and reproduce the criminal scene.
Based on their architecture, previous software live acquisition solutions can be divided into two categories. The first is Virtualization Introspection, which means the target system is wrapped in a Virtual Machine (VM) while the acquisition module exists in a hypervisor like Xen (Barham et al., 2003). VIX tools (Hay and Nance, 2008), Ruo's work (Ando et al., 2007), Srinivas's work (Krishnan et al., 2010) and BodySnatcher (Schatz, 2007) all belong to this type. The second type is Non-Virtualization Introspection. It is designed to obtain indicated volatile system state with a minimal environment impact. Iain et al. (Sutherland et al., 2008) list several practical tools for different scenarios, including Win32dd (MoonSols, 2008), KnTTools (GMG Systems Inc, 2005) and Fport (McAfee Inc, 2005). Memoryze (Mandiant Corporation, 2008) is another popular user process forensic tool of this type.
While it can unearth a tremendous volume of volatile data, live acquisition also faces significant challenges and risks. The first challenge is that previous virtualization-based live acquisition methods alter the system environment significantly (Barham et al., 2003; Schatz, 2007). The reason is that many previous approaches required loading a hypervisor prior to the launching of the operating system (OS) (Ando et al., 2007; Hay and Nance, 2008; Krishnan et al., 2010). When employing this method on a non-virtualized host, the forensic examiners change the system environment. In the extreme case, rebooting or even reinstalling the whole system is required, thus causing a great loss of information from volatile memory.
The second challenge arises from the fact that the system is not static (Adelstein, 2006). Contents in physical memory change with the running processes, making in-OS live acquisition methods unable to guarantee the accuracy of the retrieved physical memory content at the given time point without suspending the machine. However, ideal suspending functionality would require hardware support (Hay et al., 2009). Also, it is difficult to dump physical memory accurately by manipulating the page tables, because the possible existence of hidden processes makes it tough to actively trace all working page tables. As a result, practical in-OS live acquisition tools, like Win32dd and Memoryze, never consider complete result accuracy as one of their design goals.
This paper builds on our prior acquisition system, which is named Vis (Miao et al., 2011). Our previous work presents the design and implementation of Vis, proves its acquisition reliability and evaluates its performance in live acquisition scenarios. In this paper, we try to balance effectiveness and applicability by introducing a new idea about Synchronized Writes and Unsynchronized Writes. The experimental results show that Vis dumps polluted content with inappropriate buffer sizes. Also, we propose optimization techniques to minimize Vis's performance impact on the target OS and give the corresponding evaluation result. In addition, more related work and more detailed evaluation of Win32dd are included.
The evaluation results show that even with a high pollution rate during the acquisition period, Vis can still ensure accuracy while preserving the target system execution. Vis is able to retrieve an accurate system image in 105.86 s comparing with a range of 17–76 s for Win32dd, and 18 min for Hypersleuth on a 1 Gbps network. Meanwhile, it only imposes a 9.62% performance overhead on existing applications. These results prove that Vis has practical value in real world applications.
The rest of the paper is organized as follows. Section 2 presents Vis's design model and assumptions. Section 3 provides the implementation details and related discussions, while Section 4 evaluates Vis through experiments. We survey related work in Section 5, then discuss future work and conclude in Section 6.
Section snippets
Design
We propose two key techniques termed Late-Virtualization and Virtual-Snapshot, to fulfill the design requirements of Vis.
Implementation
We have implemented a prototype of Vis and applied it to live acquisition from a Windows 7 x86 system. Currently, Vis leverages Intel VT technology (Intel, 2007) to provide the necessary hardware virtualization functionality. The Late-Virtualization is implemented by directly using the virtual machine extensions to build the underlying hypervisor. For Virtual-Snapshot, we employ Intel's Extended Page Table (EPT) technology (Intel, 2007) (We use EPT to mean Extended Page Table instead of the
Evaluation
The current Vis implementation realizes its design goals described in earlier sections. All experiments are conducted on a Dell Optiplex 980 MT host with a 3.2 GHz Intel i5-650 processor, 2 GB RAM and a gigabit ethernet card. We enable the uniprocessor setting in Windows 7 x86 in our experiments. In this section, we first analytically examine the accurate live acquisition guarantees provided by Vis. Then we present its overall performance as well as the performance impact on the target system.
Related work
Live acquisition has been studied for several years. Previous live acquisition approaches can be divided into two categories: Software Acquisition and Hardware Acquisition. As introduced in Section 1, in the field of software acquisition, prior approaches include Virtualization Introspection and In-OS State Fetching. Leveraging Xen to construct an isolated introspection environment, VIX tools (Hay and Nance, 2008) and Srinivas's work (Krishnan et al., 2010) are examples of Virtualization
Future work and conclusion
Though Vis is already practical in real world scenarios, some meaningful extensions are still needed to strengthen its capability. The first extension is attestation of the acquisition result in Vis. Attesting the obtained result ensures its integrity and this is required in the reporting step. The second extension is permitting results to be output to non-local disk, for example, removable media or remote systems. With this feature, it is possible to include accurate dumping of disk contents
References (47)
- et al.
A hardware-based memory acquisition procedure for digital investigations
Digital Investigation
(2004) Bodysnatcher: towards reliable volatile memory acquisition by software
Digital Investigation
(2007)FTK
(2003)- et al.
A comparison of software and hardware techniques for x86 virtualization
Live forensics: diagnosing your system without killing it first
Communications of the ACM
(February 2006)- et al.
Asynchronous pseudo physical memory snapshot and forensics on paravirtualized vmm using split kernel module
- et al.
Xen and the art of virtualization
- et al.
The turtles project: design and implementation of nested virtualization
Hit by a bus: physical access attacks with firewire
- Buchholz, F.. Pervasive binding of labels to system processes. PhD thesis, Purdue University;...