Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
International Journal of Parallel Programming
Erschienen in: International Journal of Parallel Programming 3/2015

01.06.2015

A Virtualization Based Monitoring System for Mini-intrusive Live Forensics

verfasst von: Xianming Zhong, Chengcheng Xiang, Miao Yu, Zhengwei Qi, Haibing Guan

Erschienen in: International Journal of Parallel Programming | Ausgabe 3/2015

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Digital evidences hold great significance for governing cybercrime. Unfortunately, previous acquisition tools were troubled by either the shortage of suspending the target system’s running or the security of the acquisition tools themselves, thus the correctness and accuracy of their obtained evidences cannot be guaranteed. In this paper, we propose VAIL, a novel virtualization based monitoring system for mini-intrusive live forensics, which employs hardware assisted virtualization technique to gather integrated information from the native computer system. Meanwhile, the execution of the target system will not be interrupted and VAIL keeps immune to attacks from the target system. We have implemented a proof-of-concept prototype that has been validated with a Windows guest system. The experimental results show that VAIL can obtain comprehensive digital evidences from the target system as designed, including the CPU state, the physical memory content, and the I/O activities. And on average, VAIL only introduces 4.21 % performance overhead to the target system, which proves that VAIL is practical in real commercial environments.
Vorheriger Artikel A Parallel Job Execution Time Estimation Approach Based on User Submission Patterns within Computational Grids
Nächster Artikel OFScheduler: A Dynamic Network Optimizer for MapReduce in Heterogeneous Cluster

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren
Literatur
1.
2.
Yen, P.H., Yang, C.H., Ahn, T.N.: Design and implementation of a live-analysis digital forensic system. In: Proceedings of the: International Conference on Hybrid Information Technology, pp. 239–243. ICHIT ’09. ACM, New York, NY, USA (2009)
3.
Carrier, B.D.: File System Forensic Analysis. Addison-Wesley Professional, Reading, MA (2005)
4.
5.
6.
Buchholz, F.: Pervasive Binding of Labels to System Processes. PhD thesis, Purdue University (2005)
7.
Hay, B., Nance, K.: Forensics examination of volatile system data using virtual introspection. SIGOPS Oper. Syst. Rev. 42, 74–82 (2008)CrossRef
8.
Dolan-Gavitt, B., Srivastava, A., Traynor, P., Giffin, J.T.: Robust signatures for kernel data structures. In: Al-Shaer, E., Jha, S., Keromytis, A.D. (eds.) ACM Conference on Computer and Communications Security, pp. 566–577. ACM (2009)
9.
Ando, R., Kadobayashi, Y., Shinoda, Y.: Asynchronous pseudo physical memory snapshot and forensics on paravirtualized vmm using split kernel module. In: Nam, K.H., Rhee, G., (eds.) ICISC. vol. 4817 of Lecture Notes in Computer Science, pp. 131–143. Springer (2007)
10.
Savoldi, A., Gubian, P.: Towards the virtual memory space reconstruction for windows live forensic purposes. In: IEEE Computer Society SADFE, pp. 15–22 (2008)
11.
Sutherland, I., Evans, J., Tryfonas, T., Blyth, A.: Acquiring volatile operating system data tools and techniques. SIGOPS Oper. Syst. Rev. 42, 65–73 (2008)CrossRef
12.
13.
14.
15.
16.
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T.L., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: Scott, M.L., Peterson, L.L. (eds.) SOSP, pp. 164–177. ACM (2003)
17.
18.
19.
Krishnan, S., Snow, K.Z., Monrose, F.: Trail of bytes: efficient support for forensic analysis. In Al-Shaer, E., Keromytis, A.D., Shmatikov, V., eds.: ACM Conference on Computer and Communications Security, pp. 50–60. ACM (2010)
20.
Schatz, B.: Bodysnatcher: Towards reliable volatile memory acquisition by software. Digit. Investig. 4, 126–134 (2007)CrossRef
21.
Ayers, D.: A second generation computer forensic analysis system. In: Proceedings of the 9th Annual Digital Forensic Research Workshop. DFRWS (2009)
22.
Garfinkel, S.: Digital forensics research: The next 10 years. In: Proceedings of the 10th Annual Digital Forensic Research Workshop. DFRWS (2010)
23.
Wang, Z., Wu, C., Grace, M., Jiang, X.: Isolating commodity hosted hypervisors with hyperlock. In: Proceedings of the 7th ACM European Conference on Computer Systems. EuroSys ’12, pp. 127–140. New York, NY, USA, ACM (2012)
24.
Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: ACM SIGOPS Operating Systems Review, vol. 41, pp. 335–350. ACM (2007)
25.
Shinagawa, T., Eiraku, H., Tanimoto, K., Omote, K., Hasegawa, S., Horie, T., Hirano, M., Kourai, K., Oyama, Y., Kawai, E., Kono, K., Chiba, S., Shinjo, Y., Kato, K.: Bitvisor: a thin hypervisor for enforcing i/o device security. In: Proceedings of the: ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE ’09, pp. 121–130. ACM , New York, NY, USA (2009)
26.
Rutkowska, J.: Subverting Vistatm Kernel for Fun and Profit. Black Hat Briefings (2006)
27.
Wojtczuk, R., Rutkowska, J.: Attacking SMM Memory via Intel CPU Cache Poisoning. Invisible Things Lab (2009)
28.
Wojtczuk, R., Rutkowska, J.: Attacking Intel Trusted Execution Technology. Black Hat DC (2009)
29.
Wojtczuk, R., Rutkowska, J., Tereshkin, A.: Xen 0wning Trilogy. Invisible Things Lab (2008)
30.
31.
Intel, I.: Intel 64 and IA-32 Architectures Software Developer’s Manuals. (2007)
32.
Martignoni, L., Fattori, A., Paleari, R., Cavallaro, L.: Live and trustworthy forensic analysis of commodity production systems. In: Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection, pp. 297–316. RAID’10 (2010)
33.
Wang, Z.,Jiang, X.: Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In: IEEE Symposium on Security and Privacy (SP), pp. 380–395. IEEE (2010)
34.
35.
Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Vmm-based hidden process detection and identification using lycosid. In: Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments. VEE ’08, pp. 91–100. New York, NY, USA, ACM (2008)
36.
Yu, M., Lin, Q., Li, B., Qi, Z., Guan, H.: Vis: Virtualization enhanced live acquisition for native system. In: Proceedings of the Second Asia-Pacific Workshop on Systems, p. 13. ACM (2011)
37.
Yu, M., Qi, Z., Lin, Q., Zhong, X., Li, B., Guan, H.: Vis: Virtualization enhanced live forensics acquisition for native system. Digit. Investig. 9, 22–33 (2012)
38.
Zhou, Q., Yu, J., Yu, F.: A trust-based defensive system model for cloud computing. In: Altman, E., Shi, W. (eds.) Network and Parallel Computing, pp. 146–159. Springer (2011)
39.
Cheng, B.C., Liao, G.T., Lin, C.K., Hsu, S.C., Hsu, P.H., Park, J.H.: Mib-itrace-cp: An improvement of icmp-based traceback efficiency in network forensic analysis. In: Park, J.J., Zomaya, A., Yeo, S.-S., Sahni, S. (eds.) Network and Parallel Computing, pp. 101–109. Springer (2012)
40.
Intel, I.: Intel 82575EB Gigabit Ethernet Controller Software Developer Manual and EEPROM Guide (2011)
41.
Murray, D., Milos, G., Hand, S.: Improving xen security through disaggregation. In: Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pp. 151–160 ACM (2008)
42.
43.
44.
45.
46.
47.
Goyal, V., Biederman, E.W., Nellitheertha, H.: Kdump, a kexec based kernel crash dumping mechanism. In: Linux Symposium (2005)
48.
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: The Internet Society NDSS (2003)
49.
Jiang, X., Wang, X.: out-of-the-box monitoring of vm-based high-interaction honeypots. In: Recent Advances in Intrusion Detection, pp. 198–218. Springer (2007)
50.
Colp, P., Matthews, C., Aiello, B., Warfield, A.: Vm Snapshots. Xen Summit, North America (2009)
51.
52.
Reina, A., Fattori, A., Pagani, F., Cavallaro, L., Bruschi, D.: When hardware meets software: A bulletproof solution to forensic memory acquisition (2012)
53.
Carrier, B.D., Grand, J.: A hardware-based memory acquisition procedure for digital investigations. Digit Investig 1, 50–60 (2004)CrossRef
54.
Boileau, A.: Hit by a bus: Physical access attacks with firewire. In: Ruxcon (2006)
55.
Martin, A.: Firewire memory dump of a Windows XP computer: A forensic approach. Technical Report (2007)
56.
Rutkowska, J.: Beyond the CPU: Defeating hardware based RAM acquisition. In: Proceedings of BlackHat DC 2007 (2007)
Metadaten
Titel
A Virtualization Based Monitoring System for Mini-intrusive Live Forensics
verfasst von
Xianming Zhong
Chengcheng Xiang
Miao Yu
Zhengwei Qi
Haibing Guan
Publikationsdatum
01.06.2015
Verlag
Springer US
Erschienen in
International Journal of Parallel Programming / Ausgabe 3/2015
Print ISSN: 0885-7458
Elektronische ISSN: 1573-7640
DOI
https://doi.org/10.1007/s10766-013-0285-2

Weitere Artikel der Ausgabe 3/2015

International Journal of Parallel Programming 3/2015 Zur Ausgabe

EDITORIAL

Network and Parallel Computing

OriginalPaper

Power Efficiency for Hardware/Software Partitioning with Time and Area Constraints on MPSoC

OriginalPaper

A Parallel Job Execution Time Estimation Approach Based on User Submission Patterns within Computational Grids

OriginalPaper

CCAP: A Cache Contention-Aware Virtual Machine Placement Approach for HPC Cloud

OriginalPaper

Accelerating Smith-Waterman Alignment of Species-Based Protein Sequences on GPU

OriginalPaper

Automatic Composition of Heterogeneous Models Based on Semantic Web Services