Miao Yu Qian Lin Bingyu Li Zhengwei Qi Haibing Guan Shanghai Jiao Tong University Motivation 2 Acquisition is the most important step in a typical computer forensics scenario Missing evidence leads to an incomplete or wrong investigation result ID: 433341
Download Presentation The PPT/PDF document "Vis Virtualization Enhanced Live Acquisi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
VisVirtualization Enhanced Live Acquisition for Native System
Miao Yu, Qian Lin, Bingyu Li, Zhengwei Qi, Haibing GuanShanghai Jiao Tong UniversitySlide2
Motivation2
Acquisition is the most important step in a typical computer forensics scenario. Missing evidence leads to an incomplete or wrong investigation result.Static Acquisition Live Acquisition
Static
Acquisition
Live Acquisition
In-Disk Evidence
In-Memory
Evidence
24/7 Availability ServersSlide3
Problem - Live Acquisition3
Live AcquisitionTarget System requiring in VM Already
Low Result
Accuracy
Late
Virtualization
Virtual
Snapshot
Virtualization Introspection
In-OS Introspection
Vis provides
accurate retrieving
of native system physical memory while
preserving
the execution of target.Slide4
Late Virtualization4
Insert a Drop-in Hypervisor after the target OS is started up.1) Save the host state 2)Fill the host state in the virtual machineSlide5
Late Virtualization5
HardwareOS Kernel
User App
User App
Vis Hypervisor
Virtual Machine
Event Handler
Vis Driver
Event
EventSlide6
Virtual Snapshot6
Dump!Time
Finish!
Guest
Virtual Pages
Unmodified
Modified
Acquisition Duration (>10 Seconds)
Guest
Physical Pages
Machine
Physical Pages
Legend
Identical Mapping on Nested Page Table
Modified Pages Copy-on-Write mechanism on nested page table
Unmodified Pages
Dump remaining pages when handling frequent event
Amortized Dump multiple pages per trapSlide7
Virtual Snapshot7
Dump!Time
Finish!
Guest
Virtual Pages
Unmodified
Modified
Acquisition Duration (>10 Seconds)
Guest
Physical Pages
Machine
Physical Pages
Legend
Identical Mapping on Nested Page Table
Modified Pages Copy-on-Write mechanism on nested page table
Unmodified Pages Dump remaining pages when handling frequent event
Amortized Dump multiple pages per trapSlide8
Virtual Snapshot8
Dump!Time
Finish!
Guest
Virtual Pages
Unmodified
Modified
Acquisition Duration (>10 Seconds)
Guest
Physical Pages
Machine
Physical Pages
Legend
Identical Mapping on Nested Page Table
Modified Pages Copy-on-Write mechanism on nested page table
Unmodified Pages Dump remaining pages when handling frequent event
Amortized Dump multiple pages per trap
DumpingSlide9
ImplementationBased on Techniques:Intel® VT-xEPT for Nested Paging Vis PrototypeSupport Windows 7 i386 (Uniprocessor
)Tailored from NewBluePill (Hypervisor based virus)9Slide10
Effectiveness EvaluationWin32dd and Memoryze recorded >50% polluted content in the result fileVis recorded
no polluted content.10Slide11
Performance Evaluation11
Virtualizing CPU and memory only, Vis incurs no I/O performance overhead.High performance degradation on certain memory-intensive benchmark is imputed to EPT overhead.
Normalized
Performance
BenchmarksSlide12
Performance Evaluation12
Virtualizing CPU and memory only, Vis incurs no I/O performance overhead.High performance degradation on certain memory-intensive benchmark is imputed to EPT overhead.
Normalized
PerformanceSlide13
DiscussionsTrustworthy hypervisorHypervisor code can be attested before being loaded via Trusted Platform Module (TPM) (Martignoni et al, RAID’10)
No nested virtualizationThe Turtles Project (Muli et al, OSDI’10)For future workA little invasion is acceptableLocard’s exchange principle (Chisum, Journal of Behavioral Profiling, January 2000)13Slide14
SummaryVis achieved:Virtualization for native systemAccurate acquisition
14VisVirtualization for Native System
Accurate Acquisition
Late
Virtualization
Virtual
SnapshotSlide15
VisVirtualization Enhanced Live Acquisition for Native System
Miao Yu, Qian Lin, Bingyu Li, Zhengwei Qi, Haibing GuanShanghai Jiao Tong UniversitySlide16
Backup16