Forensics examination of volatile system data using virtual introspection

Operating Systems Review (ACM)

Volumn 42, Issue 3, 2008, Pages 74-82

  Hay, Brian ^a   Nance, Kara ^a  

^a University of Alaska Fairbanks   (United States)

Author keywords

Digital forensics; Virtual introspection; Virtual machine monitor; VIX

Indexed keywords

ALTERNATIVE APPROACH; DIGITAL FORENSIC; HARD DISKS; OBSERVATION TECHNIQUES; OFFLINE; RESEARCH AGENDA; RESEARCH AREAS; SYSTEM PROPERTY; TARGET SYSTEMS; VIRTUAL MACHINE MONITORS; VIRTUAL MACHINES; VIRTUALIZATIONS; VOLATILE DATA; VOLATILE MEMORY;

ELECTRONIC CRIME COUNTERMEASURES;

COMPUTER CRIME;

EID: 54049127315     PISSN: 01635980     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1368506.1368517     Document Type: Conference Paper

References (35)

1. Access Data. Retrieved August 10, 2007 from http://www.accessdata.com
2. nd ACM/USENIX International Conference on Virtual Execution Environments (VEE 2006), June, 2006.
3. Beyond the CPU: Defeating Hardware Based RAM Acquisition. Retrieved November 15, 2007 from http://i.i.com.com/cnwk.1d/i/z/200701/bh-dc-07- Rutkowskappt.pdf
4. Carrier, B., and Grand, J. A hardware-based memory acquisition procedure for digital investigations. The International Journal of Digital Forensics & Incident Response. Retrieved November 15, 2007 from www.sciencedirect.com.
5. Crosby, S., and Brown, D. (2006). The Virtualization Reality. ACM Queue, December/January 2006-2007, pp. 34-41
6. Data Center Management Research Report September 2007. Retrieved November 15, 2007 from http://www.novell.com/products/zenworks/orchestrator/data-center- research-report-sep2007.pdf
7. Garfinkel, T. and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the 10th Annual Symposium on Network and Distributed System Security (NDSS 2003), pages 191-206, Feb. 2003.
8. Grand Ideas Studio: Tribble. Retrieved November 15, 2007 from http://www.grandideastudio.com/src/portfolio.php?cat=&prod=14
9. Guidance Software, Inc. EnCase. Retrieved August 10, 2007 from http://www.guidancesoftware.com/
10. Hit by a Bus: Physical Access Attacks with Firewire. http://www.security- assessment.com/files/presentations/ab-firewire-rux2k6-final.pdf
11. Introducing Blue Pill. Retrieved November 15, 2007 from http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html
12. Jiang, X., Wang, X., and Xu, D. 2007. Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA, October 28 - 31, 2007). CCS '07. ACM, New York, NY, 128-138. DOI=http://doi.acm.org/10.1145/1315245.1315262
13. Kernel based Virtual Machine. Retrieved November 18, 2007 from http://kvm.qumranet.com/kvmwiki.
14. Kourai, K. and Chiba, S. 2005. HyperSpector: virtual distributed monitoring environments for secure intrusion detection. In Proceedings of the 1st ACM/USENIX international Conference on Virtual Execution Environments (Chicago, IL, USA, June 11 - 12, 2005). VEE '05. ACM, New York, NY, 197-207. DOI=http://doi.acm.org/10.1145/1064979.1065006 (Pubitemid 43195515)
15. Litty, L. and Lie, D. 2006. Manitou: a layer-below approach to fighting malware. In Proceedings of the 1st Workshop on Architectural and System Support For Improving Software Dependability (San Jose, California, October 21 - 21, 2006). ASID '06. ACM, New York, NY, 6-11. DOI=http://doi.acm.org/10.1145/ 1181309.1181311
16. Microsoft Virtual PC Server. Retrieved July 15, 2007 from http://www.microsoft.com/windows/products/wi
17. National Security Agency Central Security Service - Technology Profile Fact Sheet. Retrieved November 15, 2007 from http://www.nsa.gov/techtrans/ techt00011.cfm
18. Parallels. Retrieved July 25, 2007 from http://www.parallels.com/
19. ParavirtBenefits. Retrieved November 15, 2007 from http://virt. kernelnewbies.org/ParavirtBenefits
20. Payne, B. D., Sailer, R., Cáceres, R., Perez, R., and Lee, W. 2007. A layered approach to simplified access control in virtualized systems. SIGOPS Oper. Syst. Rev. 41, 4 (Jul. 2007), 12-19. DOI= http://doi.acm.org/10. 1145/1278901.1278905
21. Petroni, N. L. and Hicks, M. 2007. Automated detection of persistent kernel control-flow attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA, October 28 - 31, 2007). CCS '07. ACM, New York, NY, 103-115. DOI=http://doi.acm.org/10.1145/ 1315245.1315260
22. Pollitt, M., Nance, K., Hay, B., Dodge, R., Craiger, P., Burke, P., Marberry, C., and Brubaker, B. Virtualization and Digital Forensics: A Research and Education Agenda in Journal of Digital Forensic Practice. Taylor & Francis, Philadelphia, PA. (in press)
23. QEMU. Open Source Process Emulator. Retrieved on November 18, 2007 from http://fabrice.bellard.free.fr/qemu/.
24. Quynh, N. A. and Takefuji, Y. 2007. Towards a tamperresistant kernel rootkit detector. In Proceedings of the 2007 ACM Symposium on Applied Computing (Seoul, Korea, March 11 - 15, 2007). SAC '07. ACM, New York, NY, 276-283. DOI= http://doi.acm.org/10.1145/1244002.1244070 (Pubitemid 47568299)
25. Red Hat Enterprise Linux 5 - Virtualization. Retrieved November 15, 2007 from http://www.redhat.com/rhel/virtualization/
26. Rosenblum, M. 2004. The Reincarnation of Virtual Machines. Queue 2, 5 (Jul. 2004), 34-40.
27. Seshadri, A., Luk, M., Qu, N., and Perrig, A. 2007. SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles (Stevenson, Washington, USA, October 14 - 17, 2007). SOSP '07. ACM, New York, NY, 335-350. DOI=http://doi.acm.org/10.1145/1294261.1294294
28. SLES 10 - Novell Virtualization Technology. Retrieved November 15, 2007 from http://www.novell.com/documentation/vmserver/pdfdoc/virtualization-basic/ virtualization-basics.pdf
29. UNIX man pages: ps. Retrieved November 15, 2007 from http://unixhelp.ed. ac.uk/CGI/man-cgi?ps
30. VMware. Retrieved November 18, 2007 from http://www.vmware.com.
31. VMware White Paper: Understanding Full Virtualization, Paravirtualization, and Hardware Assist. Retrieved November 15, 2007 from http://www.vmware.com/files/pdf/VMware-paravirtualization.pdf
32. XenAccess Documentation. Retrieved November 15, 2007 from http://xenaccess.sourceforge.net/doc/index.html
33. Xensource. Retrieved July 27, 2007 from http://www.xensource.com/xen/xen/ nfamily/virtualpc/default.mspx
34. Xen: Mailing Lists. Retrieved November 15, 2007 from http://lists. xensource.com/
35. Xu, M., Jiang, X., Sandhu, R., and Zhang, X. 2007. Towards a VMM-based usage control framework for OS kernel integrity protection. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (Sophia Antipolis, France, June 20 - 22, 2007). SACMAT '07. ACM, New York, NY, 71-80. DOI= http://doi.acm.org/10.1145/1266840.1266852