Virtual Machine Forensics by means of Introspection and Kernel Code Injection

Files in This Item:
File Description SizeFormat 
insight_publication.pdf150.52 kBAdobe PDFDownload
Title: Virtual Machine Forensics by means of Introspection and Kernel Code Injection
Authors: Tobin, Patrick
Kechadi, Tahar
Permanent link: http://hdl.handle.net/10197/6478
Date: 24-Mar-2014
Abstract: Virtual Machine Introspection offers the ability to access a virtual machine remotely and extract informationfrom it. Virtual machine introspection allows all processes, local data, and network traffic to be tracked andmade available to the investigation process. These properties offer the possibility to monitor a suspect virtualmachine (VM). Moreover, the access to a VM data is far from being trivial; there are various complex tasks tobe dealt with. For instance the returned data is in a raw format, and it is necessary to remap into a userfriendly representation (canonical representation). In this paper we propose a method of bridging thissemantic gap, and provide a graphical reconstruction of events. This proposal is essentially, the recreation ofa virtual machine at a remote location and the subsequent recreation of all processes, data, network traffic ina virtual machine as they occur in the original. This should be achieved in real-time, which will give anopportunity to quickly make decisions based on the evidence as we collect them in real-time. Our approachinvolves recreating a virtual machine and injecting into it all code and data within the original virtual machine,presenting an identical copy for examination. The approach proposed also has another advantage byallowing all data to be saved for further analysis and verification.
Funding Details: Science Foundation Ireland
Type of material: Conference Publication
Copyright (published version): 2014 the Author
Keywords: Machine learningStatisticsVirtualisationDigital forensicsKernel injectionVirtual Machine introspection
Other versions: http://academic-conferences.org/iciw/iciw2014/iciw14-home.htm
Language: en
Status of Item: Peer reviewed
Conference Details: 9th International Conference on Cyber Warfare and Security, Purdue University, West Lafayette, Indiana, United States, 24-25 March 2014
Appears in Collections:Computer Science Research Collection
Insight Research Collection

Show full item record

Page view(s) 50

30
checked on May 25, 2018

Download(s) 20

412
checked on May 25, 2018

Google ScholarTM

Check


This item is available under the Attribution-NonCommercial-NoDerivs 3.0 Ireland. No item may be reproduced for commercial purposes. For other possible restrictions on use please refer to the publisher's URL where this is made available, or to notes contained in the item itself. Other terms may apply.