File System Forensic Analysis
Live forensics: diagnosing your system without killing it first
Communications of the ACM - Next-generation cyber forensics
Pervasive binding of labels to system processes
Pervasive binding of labels to system processes
Proceedings of the 14th ACM conference on Computer and communications security
14th ACM Conference on Computer and Communications Security 2007
Acquiring volatile operating system data tools and techniques
ACM SIGOPS Operating Systems Review
Forensics examination of volatile system data using virtual introspection
ACM SIGOPS Operating Systems Review
Lares: An Architecture for Secure Active Monitoring Using Virtualization
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Live Analysis: Progress and Challenges
Computing in Science and Engineering
ICISC'07 Proceedings of the 10th international conference on Information security and cryptology
TrustVisor: Efficient TCB Reduction and Attestation
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Trail of bytes: efficient support for forensic analysis
Proceedings of the 17th ACM conference on Computer and communications security
Live and trustworthy forensic analysis of commodity production systems
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
BodySnatcher: Towards reliable volatile memory acquisition by software
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Hi-index | 0.00 |
Focusing on obtaining in-memory evidence, current live acquisition efforts either fail to provide accurate native system physical memory acquisition at the given time point or require suspending the machine and altering the execution environment drastically. To address this issue, we propose Vis, a light-weight virtualization approach to provide accurate retrieving of physical memory content while preserving the execution of target system. Vis encapsulates the native system into a single virtual machine and then conducts accurate acquisition by manipulating nested page table in hypervisor. We present the design and implementation of Vis, prove its acquisition reliability and evaluate its performance in live acquisition scenarios.