Vis: virtualization enhanced live acquisition for native system

Authors:
Miao Yu;Qian Lin;Bingyu Li;Zhengwei Qi;Haibing Guan
Affiliations:
Shanghai Jiao Tong University;Shanghai Jiao Tong University;Shanghai Jiao Tong University;Shanghai Jiao Tong University;Shanghai Jiao Tong University
Venue:
Proceedings of the Second Asia-Pacific Workshop on Systems
Year:
2011

Citing 13
Cited 0

File System Forensic Analysis

File System Forensic Analysis
Live forensics: diagnosing your system without killing it first

Communications of the ACM - Next-generation cyber forensics
Pervasive binding of labels to system processes

Pervasive binding of labels to system processes
Proceedings of the 14th ACM conference on Computer and communications security

14th ACM Conference on Computer and Communications Security 2007
Acquiring volatile operating system data tools and techniques

ACM SIGOPS Operating Systems Review
Forensics examination of volatile system data using virtual introspection

ACM SIGOPS Operating Systems Review
Lares: An Architecture for Secure Active Monitoring Using Virtualization

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Live Analysis: Progress and Challenges

Computing in Science and Engineering
Asynchronous pseudo physical memory snapshot and forensics on paravirtualized VMM using split kernel module

ICISC'07 Proceedings of the 10th international conference on Information security and cryptology
TrustVisor: Efficient TCB Reduction and Attestation

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Trail of bytes: efficient support for forensic analysis

Proceedings of the 17th ACM conference on Computer and communications security
Live and trustworthy forensic analysis of commodity production systems

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
BodySnatcher: Towards reliable volatile memory acquisition by software

Digital Investigation: The International Journal of Digital Forensics & Incident Response

Quantified Score

Hi-index	0.00

Visualization

Abstract

Focusing on obtaining in-memory evidence, current live acquisition efforts either fail to provide accurate native system physical memory acquisition at the given time point or require suspending the machine and altering the execution environment drastically. To address this issue, we propose Vis, a light-weight virtualization approach to provide accurate retrieving of physical memory content while preserving the execution of target system. Vis encapsulates the native system into a single virtual machine and then conducts accurate acquisition by manipulating nested page table in hypervisor. We present the design and implementation of Vis, prove its acquisition reliability and evaluate its performance in live acquisition scenarios.