Motivation 2 Static Acquisition Live Acquisition Static AcquisitionLive Acquisition In-Disk Evidence...

VisVirtualization Enhanced Live Acquisition for Native System

Miao Yu, Qian Lin, Bingyu Li, Zhengwei Qi, Haibing Guan

Shanghai Jiao Tong University

MotivationAcquisition is the most important step in a typical computer

forensics scenario. Missing evidence leads to an incomplete or wrong investigation result.

Static Acquisition Live Acquisition

In-Disk Evidence

In-Memory Evidence

24/7 Availability Servers

Problem - Live Acquisition

Live Acquisition Target System

requiring in VM Already

Low Result Accuracy

Late Virtualization

Virtual Snapshot

Virtualization Introspection

In-OS Introspection

Vis provides accurate retrieving of native system physical memory while preserving the execution of target.

Late Virtualization

• Insert a Drop-in Hypervisor after the target OS is started up.1) Save the host state 2)Fill the host state in

the virtual machine

Late Virtualization

Hardware

OS Kernel

User App User App

Vis Hypervisor

Virtual Machine

Event Handler

Vis Driver

Virtual Snapshot

Finish!

Guest Virtual Pages

UnmodifiedModified

Acquisition Duration (>10 Seconds)

Guest Physical Pages

Machine Physical Pages

Legend

• Identical Mapping on Nested Page Table• Modified Pages Copy-on-Write mechanism on nested page table • Unmodified Pages Dump remaining pages when handling frequent event• Amortized Dump multiple pages per trap

Virtual Snapshot

Finish!

Guest Virtual Pages

UnmodifiedModified

Legend

Virtual Snapshot

Finish!

Guest Virtual Pages

UnmodifiedModified

Legend

Dumping

Implementation

• Based on Techniques:– Intel® VT-x– EPT for Nested Paging

• Vis Prototype– Support Windows 7 i386 (Uniprocessor)– Tailored from NewBluePill (Hypervisor based virus)

Effectiveness Evaluation

• Win32dd and Memoryze recorded >50% polluted content in the result file

• Vis recorded no polluted content.

Performance Evaluation

• Virtualizing CPU and memory only, Vis incurs no I/O performance overhead.

• High performance degradation on certain memory-intensive benchmark is imputed to EPT overhead.

SPECint 2006

IOMeter Netperf Httpd50%60%70%80%90%

100%110%

90.14%99.49% 101.05% 99.70%

Vis IdleN

Benchmarks

Performance Evaluation

• Virtualizing CPU and memory only, Vis incurs no I/O performance overhead.• High performance degradation on certain memory-intensive

benchmark is imputed to EPT overhead.

perlbench

bzip2 gc

hmmersje

libquan

h264ref

omnetpp

0%20%40%60%80%

100%120%

95.3% 97.0%85.8%

99.8% 99.8% 93.9% 93.7% 98.1%84.7% 91.6% 92.5%

Vis Idle

Discussions• Trustworthy hypervisor

– Hypervisor code can be attested before being loaded via Trusted Platform Module (TPM) (Martignoni et al, RAID’10)

• No nested virtualization– The Turtles Project (Muli et al, OSDI’10)– For future work

• A little invasion is acceptable– Locard’s exchange principle (Chisum, Journal of Behavioral Profiling,

January 2000)

Summary• Vis achieved:– Virtualization for native system– Accurate acquisition

Virtualization for Native System

Accurate Acquisition

Late Virtualization

Virtual Snapshot

VisVirtualization Enhanced Live Acquisition for Native System

Miao Yu, Qian Lin, Bingyu Li, Zhengwei Qi, Haibing Guan

Shanghai Jiao Tong University

Backup

Motivation 2 Static Acquisition Live Acquisition Static AcquisitionLive Acquisition In-Disk Evidence...

Documents

Transcript of Motivation 2 Static Acquisition Live Acquisition Static AcquisitionLive Acquisition In-Disk Evidence...

Acquisition and Analysis of Digital Evidence in Android ...

SECURE ACQUISITION OF DIGITAL EVIDENCE FROM …

Export Expansion, Skill Acquisition and Industry Specialization: Evidence from China · 2016. 6. 14. · Export Expansion, Skill Acquisition and Industry Specialization: Evidence

First steps in Language Acquisition: Evidence from ERPs

Variability, negative evidence, and the acquisition of

Acquisition and analysis of digital evidence in Android Smart …ahmadsm/coe589-122/abubakar2013-androi… · Acquisition and analysis of digital evidence in Android Smart phones

The Critical Period for Language Acquisition: Evidence from Second ...

Evidence on the Effect of DoD Acquisition Policy and Process on Cost Growth of Major Defense Acquisition Programs

Analyst coverage and acquisition returns: Evidence from ... · Analyst coverage and acquisition returns: Evidence from natural experiments* Eliezer M. Fich LeBow College of Business

Age Effects on the Process of L2 Acquisition? Evidence ...

Acquisition of Perspective and Role Shift in Deaf Children: Evidence ...

A signaling theory of acquisition premiums: evidence from IPO targets

Digital Evidence Acquisition, Storage and Management Crime Scene

Evidence-Based Practices that promote effective skill acquisition

Early Acquisition of Word Order: Evidence from …filcat.uab.cat/clt/publicacions/tesis/pdf/LEELAThesis.pdf · EARLY ACQUISITION OF WORD ORDER: EVIDENCE FROM ... Early Acquisition

Acquisition of scalar implicatures: Evidence from adult Japanese … · Acquisition of scalar implicatures: Evidence from adult Japanese L2 learners of English Neal Snape and Hironobu

Evidence to Decision Frameworks: Wound Care Cleanse the … › static › pdfs › 12_E2D_Woundcare.… · Evidence to Decision Framework. ©EPUAP/NPIAP/PPPIA 1 Evidence to Decision

Greenfield vs. Acquisition in FDI: Evidence from · PDF fileGreenfield vs. Acquisition in FDI: Evidence from Romania ... contrasting their advantages and disadvantages. ... diversification

n COURT REPORTER S CERTIFICATE RESPECTING EVIDENCE …ontariocourtforms.on.ca/static/media/uploads/courtforms/scjcpr/... · COURT REPORTER’S CERTIFICATE RESPECTING EVIDENCE (Criminal

Acquisition of Semantic Classes for Adjectives from Distributional Evidence