2009 International Conference on Availability, Reliability and Security 2009
DOI: 10.1109/ares.2009.173
|View full text |Cite
|
Sign up to set email alerts
|

Investigating the Implications of Virtual Machine Introspection for Digital Forensics

Abstract: Abstract-Researchers and practitioners in computer forensics currently must base their analysis on information that is either incomplete or produced by tools that may themselves be compromised as a result of the intrusion. Complicating these issues are the techniques employed by the investigators themselves. If the system is quiescent when examined, most of the information in memory has been lost. If the system is active, the kernel and programs used by the forensic investigators are likely to influence the re… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
8
0

Year Published

2011
2011
2022
2022

Publication Types

Select...
5
2
1

Relationship

0
8

Authors

Journals

citations
Cited by 25 publications
(8 citation statements)
references
References 13 publications
0
8
0
Order By: Relevance
“…In the latter case, it is not possible for the researchers to obtain information and activity regarding the device of the hypervisor [19]. And that is an issue for research [20]. On the other hand, even if you do not turn off the virtual machines, which we remind you are a small file, they have a so-called snapshot technology that allows you to roll back to the system.…”
Section: Main Problemsmentioning
confidence: 99%
See 1 more Smart Citation
“…In the latter case, it is not possible for the researchers to obtain information and activity regarding the device of the hypervisor [19]. And that is an issue for research [20]. On the other hand, even if you do not turn off the virtual machines, which we remind you are a small file, they have a so-called snapshot technology that allows you to roll back to the system.…”
Section: Main Problemsmentioning
confidence: 99%
“…That is, I can create a virtual machine on a hypervisor, at first use create a snapshot of the entire system, then establish an encrypted communication with a weapons purchase site, buy the weapons, and then roll back to the initial picture and I turn off the snapshot, all the information about the crime of buying weapons literally disappears. It is effortless to perceive the problem that is generated for a digital criminal investigation [20].…”
Section: Main Problemsmentioning
confidence: 99%
“…They used VMI to develop an Intrusion Detection System (IDS), called Livewire, for a customized version of VMWare Workstation for Linux. VMI techniques have also been used in Digital Forensics [13] and [15]. Hyperspector [16] implemented another Intrusion Detection System for distributed computer systems using VMI to isolate the IDS from the servers that they monitor.…”
Section: A Virtual Machine Introspectionmentioning
confidence: 99%
“…Acquiring data through VMI increases the probability of obtaining forensically sound evidence while introduces semantic gap [9] at the same time. Although bridging the semantic gap is challenging, out-of-box VMI does not need to modify the VMs so that malware is unaware of the monitoring, which enables more secure monitoring and manifests true situation of VMs [10].…”
Section: Virtualization and Vmimentioning
confidence: 99%
“…VMI depends on reconstructing high-level understandable information from low-level raw data which is provided through inspecting the hardware components of virtual machines under a trustworthy external circumstance [5]. VMI can demonstrate excellent view of details in virtual machine so it rapidly gains popularity among researchers.…”
Section: Introductionmentioning
confidence: 99%