A lightweight live memory forensic approach based on hardware virtualization

详细信息    查看全文

• 作者：Yingxin Cheng^a ; ^{yingxincheng@gmail.com" class="auth_mail" title="E-mail the corresponding author}Author Vitae ; Xiao Fu^a ; ^{fuxiao@nju.edu.cn" class="auth_mail" title="E-mail the corresponding author}Author Vitae ; Xiaojiang Du^b ; ^{xjdu@temple.edu" class="auth_mail" title="E-mail the corresponding author}Author Vitae ; Bin Luo^a ; ^{luobin@nju.edu.cn" class="auth_mail" title="E-mail the corresponding author}Author Vitae ; Mohsen Guizani^c ; ^{mguizani@ieee.org" class="auth_mail" title="E-mail the corresponding author}Author Vitae
• 关键词：Hardware virtualization ; Live forensics ; Memory forensics ; Lightweight forensic framework
• 刊名：Information Sciences
• 出版年：2017
• 出版时间：10 February 2017
• 年：2017
• 卷：379
• 期：Complete
• 页码：23-41
• 全文大小：3886 K

文摘

The results of memory forensics can not only be used as evidence in court but are also beneficial for analyzing vulnerability and improving security. Thus, memory forensics has been widely used in many fields, including cloud security. Traditional memory forensics, usually an after-the-fact method, is time-consuming and often loses important transient information. Thus, live methods, which investigate memory directly, are presented. However, most of them are kernel based and easy to detect or confuse. Although virtualization technology can overcome these shortages, it must be preinstalled and has high cost. To solve these problems, we propose a lightweight live memory forensic framework based on hardware virtualization. It can build a virtualization environment on-the-fly. The operating system will be migrated to the virtual machine without termination or modifications. Then, the forensic methods can acquire and analyze evidence at the hypervisor level. Two novel forensic methods are proposed to verify the effectiveness of the framework. They focus on acquiring accurate data and system behavior, respectively. The main ideas are guaranteeing data accuracy in multi-view extraction and analyzing memory behavior in a para-synchronous style. Experiments have proved that these methods are able to obtain reliable and integrated evidence at an acceptable cost.