Memory forensics is the branch of computer forensics that aims at extracting artifacts from memory snapshots taken from a running system. Even though it is a relatively recent field, it is rapidly growing and it is attracting considerable attention from both industrial and academic researchers. In this paper, we present a set of techniques to extend the field of memory forensics toward the analysis of hypervisors and virtual machines. With the increasing adoption of virtualization techniques (both as part of the cloud and in normal desktop environments), we believe that memory forensics will soon play a very important role in many investigations that involve virtual environments. Our approach, implemented in an open source tool as an extension of the Volatility framework, is designed to detect both the existence and the characteristics of any hypervisor that uses the Intel VT-x technology. It also supports the analysis of nested virtualization and it is able to infer the hierarchy of multiple hypervisors and virtual machines. Finally, by exploiting the techniques presented in this paper, our tool can reconstruct the address space of a virtual machine in order to transparently support any existing Volatility plugin - allowing analysts to reuse their code for the analysis of virtual environments.
Hypervisor memory forensics / M. Graziano, A. Lanzi, D. Balzarotti (LECTURE NOTES IN COMPUTER SCIENCE). - In: Research in attacks, intrusions, and defenses / [a cura di] S.J. Stolfo, A. Stavrou, C.V. Wright. - Berlin : Springer, 2013. - ISBN 9783642412837. - pp. 21-40 (( Intervento presentato al 16. convegno International Symposium, RAID 2013 tenutosi a Rodney Bay nel 2013 [10.1007/978-3-642-41284-4_2].
Hypervisor memory forensics
A. LanziSecondo
;
2013
Abstract
Memory forensics is the branch of computer forensics that aims at extracting artifacts from memory snapshots taken from a running system. Even though it is a relatively recent field, it is rapidly growing and it is attracting considerable attention from both industrial and academic researchers. In this paper, we present a set of techniques to extend the field of memory forensics toward the analysis of hypervisors and virtual machines. With the increasing adoption of virtualization techniques (both as part of the cloud and in normal desktop environments), we believe that memory forensics will soon play a very important role in many investigations that involve virtual environments. Our approach, implemented in an open source tool as an extension of the Volatility framework, is designed to detect both the existence and the characteristics of any hypervisor that uses the Intel VT-x technology. It also supports the analysis of nested virtualization and it is able to infer the hierarchy of multiple hypervisors and virtual machines. Finally, by exploiting the techniques presented in this paper, our tool can reconstruct the address space of a virtual machine in order to transparently support any existing Volatility plugin - allowing analysts to reuse their code for the analysis of virtual environments.
| File | Dimensione | Formato | |
|---|---|---|---|
|
raid13_graziano.pdf
accesso riservato
Tipologia:
Post-print, accepted manuscript ecc. (versione accettata dall'editore)
Dimensione
343.57 kB
Formato
Adobe PDF
|
343.57 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
|
chp%3A10.1007%2F978-3-642-41284-4_2.pdf
accesso riservato
Tipologia:
Publisher's version/PDF
Dimensione
352.97 kB
Formato
Adobe PDF
|
352.97 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
