Ecole d'ingénieur et centre de recherche en Sciences du numérique

Hypervisor memory forensics

Graziano, Mariano; Lanzi, Andrea; Balzarotti, Davide

RAID 2013, 16th International Symposium on Research in Attacks, Intrusions, and Defenses, 23-25 October 2013, Saint Lucia, USA / Also published in LNCS, Volume 8145/2013

Annual Volatility Framework Plugin Contest Award

Memory forensics is the branch of computer forensics that aims at extracting artifacts from memory snapshots taken from a running system. Even though it is a relatively recent field, it is rapidly growing and it is attracting considerable attention from both industrial and academic researchers. In this paper, we present a set of techniques to extend the field of memory forensics toward the analysis of hypervisors and virtual machines. With the increasing adoption of virtualization techniques (both as part of the cloud and in normal desktop environments), we believe that memory forensics will soon play a very important role in many investigations that involve virtual environments. Our approach, implemented in an open source tool as an extension of the Volatility framework, is designed to detect both the existence and the characteristics of any hypervisor that uses the Intel VT-x technology. It also supports the analysis of nested virtualization and it is able to infer the hierarchy of multiple hypervisors and virtual machines. Finally, by exploiting the techniques presented in this paper, our tool can reconstruct the address space of a virtual machine in order to transparently support any existing Volatility plugin - allowing analysts to reuse their code for the analysis of virtual environments.

Document Doi Bibtex

Titre:Hypervisor memory forensics
Mots Clés:Forensics, Memory Analysis, Intel Virtualization
Type:Conférence
Langue:English
Ville:Saint Lucia
Pays:ÉTATS-UNIS
Date:
Département:Sécurité numérique
Eurecom ref:4083
Copyright: © Springer. Personal use of this material is permitted. The definitive version of this paper was published in RAID 2013, 16th International Symposium on Research in Attacks, Intrusions, and Defenses, 23-25 October 2013, Saint Lucia, USA / Also published in LNCS, Volume 8145/2013 and is available at : http://dx.doi.org/10.1007/978-3-642-41284-4_2
Bibtex: @inproceedings{EURECOM+4083, doi = {http://dx.doi.org/10.1007/978-3-642-41284-4_2}, year = {2013}, title = {{H}ypervisor memory forensics}, author = {{G}raziano, {M}ariano and {L}anzi, {A}ndrea and {B}alzarotti, {D}avide }, booktitle = {{RAID} 2013, 16th {I}nternational {S}ymposium on {R}esearch in {A}ttacks, {I}ntrusions, and {D}efenses, 23-25 {O}ctober 2013, {S}aint {L}ucia, {USA} / {A}lso published in {LNCS}, {V}olume 8145/2013}, address = {{S}aint {L}ucia, {\'{E}}{TATS}-{UNIS}}, month = {10}, url = {http://www.eurecom.fr/publication/4083} }
Voir aussi: