Motivation 2 Static Acquisition Live Acquisition Static AcquisitionLive Acquisition In-Disk Evidence...

VisVirtualization Enhanced Live Acquisition for Native System

Miao Yu, Qian Lin, Bingyu Li, Zhengwei Qi, Haibing Guan

Shanghai Jiao Tong University

2

MotivationAcquisition is the most important step in a typical computer

forensics scenario. Missing evidence leads to an incomplete or wrong investigation result.

Static Acquisition Live Acquisition

Static Acquisition Live Acquisition

In-Disk Evidence

In-Memory Evidence

24/7 Availability Servers

3

Problem - Live Acquisition

Live Acquisition Target System

requiring in VM Already

Low Result Accuracy

Late Virtualization

Virtual Snapshot

Virtualization Introspection

In-OS Introspection

Vis provides accurate retrieving of native system physical memory while preserving the execution of target.

4

Late Virtualization

• Insert a Drop-in Hypervisor after the target OS is started up.1) Save the host state 2)Fill the host state in

the virtual machine

5

Late Virtualization

Hardware

OS Kernel

User App User App

Vis Hypervisor

Virtual Machine

Event Handler

Vis Driver

Event

Event

6

Virtual Snapshot

Dump!

Time

Finish!

Guest Virtual Pages

UnmodifiedModified

Acquisition Duration (>10 Seconds)

Guest Physical Pages

Machine Physical Pages

Legend

• Identical Mapping on Nested Page Table• Modified Pages Copy-on-Write mechanism on nested page table • Unmodified Pages Dump remaining pages when handling frequent event• Amortized Dump multiple pages per trap

7

Virtual Snapshot

Dump!

Time

Finish!

Guest Virtual Pages

UnmodifiedModified




Legend


8

Virtual Snapshot

Dump!

Time

Finish!

Guest Virtual Pages

UnmodifiedModified




Legend


Dumping

9

Implementation

• Based on Techniques:– Intel® VT-x– EPT for Nested Paging

• Vis Prototype– Support Windows 7 i386 (Uniprocessor)– Tailored from NewBluePill (Hypervisor based virus)

10

Effectiveness Evaluation

• Win32dd and Memoryze recorded >50% polluted content in the result file

• Vis recorded no polluted content.

11

Performance Evaluation

• Virtualizing CPU and memory only, Vis incurs no I/O performance overhead.

• High performance degradation on certain memory-intensive benchmark is imputed to EPT overhead.

SPECint 2006

IOMeter Netperf Httpd50%60%70%80%90%

100%110%

90.14%99.49% 101.05% 99.70%

Vis IdleN

orm

alize

dPe

rfor

man

ce

Benchmarks

12

Performance Evaluation

• Virtualizing CPU and memory only, Vis incurs no I/O performance overhead.• High performance degradation on certain memory-intensive

benchmark is imputed to EPT overhead.

perlbench

bzip2 gc

cmcf

gobmk

hmmersje

ng

libquan

tum

h264ref

omnetpp

astar

xalan

cbmk

0%20%40%60%80%

100%120%

95.3% 97.0%85.8%

49.6%

99.8% 99.8% 93.9% 93.7% 98.1%84.7% 91.6% 92.5%

Vis Idle

Nor

mal

ized

Perf

orm

ance

13

Discussions• Trustworthy hypervisor

– Hypervisor code can be attested before being loaded via Trusted Platform Module (TPM) (Martignoni et al, RAID’10)

• No nested virtualization– The Turtles Project (Muli et al, OSDI’10)– For future work

• A little invasion is acceptable– Locard’s exchange principle (Chisum, Journal of Behavioral Profiling,

January 2000)

14

Summary• Vis achieved:– Virtualization for native system– Accurate acquisition

Vis

Virtualization for Native System

Accurate Acquisition

Late Virtualization

Virtual Snapshot

VisVirtualization Enhanced Live Acquisition for Native System

Miao Yu, Qian Lin, Bingyu Li, Zhengwei Qi, Haibing Guan

Shanghai Jiao Tong University

16

Backup

Motivation 2 Static Acquisition Live Acquisition Static AcquisitionLive Acquisition In-Disk Evidence...

Documents

Transcript of Motivation 2 Static Acquisition Live Acquisition Static AcquisitionLive Acquisition In-Disk Evidence...