Abstract
Forensic analysis of volatile memory is a crucial part in the Incident Response process. Traditionally, it requires acquiring and transferring a memory dump from the affected workstation over to the analyst’s system, where it is analyzed using established forensic tools such as Volatility or Rekall. Hardware-based virtualization support of modern x86 CPUs was previously used on endpoints to acquire volatile memory in a way that can’t be interfered by malware, but which doesn’t support reusing exiting forensic tools to perform live analysis. We introduce a system that leverages a small, security-oriented hypervisor (HV) to run the original endpoint’s OS inside a virtual machine (VM), alongside another VM dedicated to live forensic analysis using existing forensic tools. The HV enforces isolation between the analyzed OS and the forensic VM, while allowing reliable remote connection to the forensic VM through a dedicated physical network card.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Data Breach Investigations Report (DBIR). http://www.verizonenterprise.com/DBIR/2015/
BusyBox. http://www.busybox.net/about.html
Dropbear SSH. https://matt.ucc.asn.au/dropbear/dropbear.html
FTK Imager version 3.2.0 – AccessData. http://accessdata.com/product-download/digital-forensics/ftk-imager-version-3.2.0
Immunity Inc: Knowing You’re Secure. http://www.immunityinc.com/products/eljefe/
Memoryze – FireEye. https://www.fireeye.com/services/freeware/memoryze.html
MIG: Mozilla InvestiGator. http://mig.mozilla.org/
Next-Generation Endpoint Protection – CrowdStrike Falcon Host. http://www.crowdstrike.com/products/falcon-host/
OpenAttestation - OpenStack. https://wiki.openstack.org/wiki/OpenAttestation
Products – MoonSols. http://www.moonsols.com/products/
Rekall Memory Forensic Framework. http://www.rekall-forensic.com/index.html
Rekall Memory Forensic Framework. http://www.rekall-forensic.com/faq.html
RSA ECAT – Advanced Endpoint Threat Detection – EMC. http://www.emc.com/security/rsa-ecat.htm
TrouSerS - The open-source TCG Software Stack - FAQ. http://trousers.sourceforge.net/faq.html#1.1
The Volatility Foundation - Open Source Memory Forensics. http://www.volatilityfoundation.org/
vSphere ESXi Bare-Metal Hypervisor | United States. https://www.vmware.com/products/esxi-and-esx/overview
Welcome to Python.org. https://www.python.org/
Intel Trusted Execution Technology Software Development Guide, July 2015. http://www.intel.com/content/dam/www/public/us/en/documents/guides/intel-txt-software-development-guide.pdf
Balogh, S.: Memory acquisition by using network card. J. Cyber Secur. Mobil. 3(1), 65–76 (2014)
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, SOSP 2003, pp. 164–177. ACM, New York (2003)
Breuk, R., Spruyt, A.: Integrating DMA attacks in exploitation frameworks pp. 2011–2012 (2012). https://homepages.staff.os3.nl/~delaat/rp/2011-2012/p14/report.pdf. Accessed 14 Jan 2014
Chen, X., Garfinkel, T., Lewis, E.C., Subrahmanyam, P., Waldspurger, C.A., Boneh, D., Dwoskin, J., Ports, D.R.: Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In: Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS XIII, pp. 2–13. ACM, New York (2008)
Cheng, Y., Ding, X.: Virtualization based password protection against malware in untrusted operating systems. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) Trust 2012. LNCS, vol. 7344, pp. 201–218. Springer, Heidelberg (2012)
Cheng, Y., Ding, X.: Guardian: hypervisor as security foothold for personal computers. In: Huth, M., Asokan, N., Čapkun, S., Flechais, I., Coles-Kemp, L. (eds.) TRUST 2013. LNCS, vol. 7904, pp. 19–36. Springer, Heidelberg (2013)
Cheng, Y., Ding, X., Deng, R.H.: AppShield: protecting applications against untrusted operating system. Technical report, School of Information Systems, Singapore Management University, November 2013
Cohen, M., Bilby, D., Caronni, G.: Distributed forensics and incident response in the enterprise. Digit. Invest. 8, S101–S110 (2011)
Cohen, M.: WinPMEM (2012). https://volatility.googlecode.com/svn-history/r2091/branches/scudette/tools/windows/winpmem/README
Dewan, P., Durham, D., Khosravi, H., Long, M., Nagabhushan, G.: A hypervisor-based system for protecting software runtime memory and persistent storage. In: Proceedings of the 2008 Spring Simulation Multiconference, pp. 828–835. Society for Computer Simulation International (2008)
Dolan-Gavitt, B., Payne, B., Lee, W.: Leveraging forensic tools for virtual machine introspection (2011). https://smartech.gatech.edu/handle/1853/38424
Hizver, J., Chiueh, T.C.: Real-time deep virtual machine introspection and its applications. In: Proceedings of the 10th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE 2014, pp. 3–14. ACM, New York (2014)
Hofmann, O.S., Kim, S., Dunn, A.M., Lee, M.Z., Witchel, E.: InkTag: secure applications on an untrusted operating system. In: Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 265–278. ACM (2013)
Kivity, A., Kamay, Y., Laor, D., Lublin, U., Liguori, A.: KVM: the Linux virtual machine monitor, pp. 225–230, July 2007. http://www.kernel.org/doc/ols/2007/ols2007v1-pages-225-230.pdf
Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 386–395. ACM (2014)
Luţaş, A., Lukács, S., Coleşa, A., Luţaş, D.: Proposed processor extensions for significant speedup of hypervisor memory introspection. In: Conti, M., Schunter, M., Askoxylakis, I. (eds.) TRUST 2015. LNCS, vol. 9229, pp. 249–267. Springer, Heidelberg (2015)
Martignoni, L., Fattori, A., Paleari, R., Cavallaro, L.: Live and trustworthy forensic analysis of commodity production systems. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 297–316. Springer, Heidelberg (2010)
Martin, A.: FireWire memory dump of a windows XP computer: a forensic approach. Black Hat DC, pp. 1–13 (2007). http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf
Moser, A., Cohen, M.I.: Hunting in the enterprise: forensic triage and incident response. Digit. Invest. 10(2), 89–98 (2013)
Newsome, J., McCune, J.M., Zhou, Z., Gligor, V.D.: Building verifiable trusted path on commodity x86 computers. In: 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 616–630. IEEE, May 2012
Payne, B.D.: Simplifying virtual machine introspection using LibVMI. Sandia report (2012). http://prod.sandia.gov/techlib/access-control.cgi/2012/127818.pdf
Payne, B.D., De Carbone, M.D.P., Lee, W.: Secure and flexible monitoring of virtual machines. In: Twenty-Third Annual Computer Security Applications Conference, ACSAC 2007, pp. 385–397. IEEE (2007)
Reina, A., Fattori, A., Pagani, F., Cavallaro, L., Bruschi, D.: When hardware meets software: a bulletproof solution to forensic memory acquisition. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 79–88. ACM (2012)
Schatz, B.: BodySnatcher: towards reliable volatile memory acquisition by software. Digit. Invest. 4, 126–134 (2007)
Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. ACM SIGOPS Oper. Syst. Rev. 41(6), 335–350 (2007)
Stewin, P., Bystrov, I.: Understanding DMA malware. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 21–41. Springer, Heidelberg (2013)
Stüttgen, J., Cohen, M.: Anti-forensic resilient memory acquisition. Digit. Invest. 10, S105–S115 (2013)
Vömel, S., Freiling, F.C.: Correctness, atomicity, and integrity: defining criteria for forensically-sound memory acquisition. Digit. Invest. 9(2), 125–137 (2012)
Wang, J., Stavrou, A., Ghosh, A.: HyperCheck: a hardware-assisted integrity monitor. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 158–177. Springer, Heidelberg (2010)
Yu, M., Lin, Q., Li, B., Qi, Z., Guan, H.: Vis: virtualization enhanced live acquisition for native system. In: Proceedings of the Second Asia-Pacific Workshop on Systems, p. 13. ACM (2011)
Zaharia, M., Katti, S., Grier, C., Paxson, V., Shenker, S., Stoica, I., Song, D.: Hypervisors as a foothold for personal computer security: an agenda for the research community. Technical report, UCB/EECS-2012-12, EECS Department, University of California, Berkeley (2012)
Zhong, X., Xiang, C., Yu, M., Qi, Z., Guan, H.: A virtualization based monitoring system for mini-intrusive live forensics. Int. J. Parallel Program. 43(3), 455–471 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Annex 1
A Annex 1
See Annex Table 3.
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Luţaş, D., Coleşa, A., Lukács, S., Luţaş, A. (2016). Secure Virtual Machine for Real Time Forensic Tools on Commodity Workstations. In: Bica, I., Reyhanitabar, R. (eds) Innovative Security Solutions for Information Technology and Communications. SECITC 2016. Lecture Notes in Computer Science(), vol 10006. Springer, Cham. https://doi.org/10.1007/978-3-319-47238-6_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-47238-6_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47237-9
Online ISBN: 978-3-319-47238-6
eBook Packages: Computer ScienceComputer Science (R0)