Live and Trustworthy Forensic Analysis of Commodity Production Systems

  • Lorenzo Martignoni
  • Aristide Fattori
  • Roberto Paleari
  • Lorenzo Cavallaro
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6307)


We present HyperSleuth, a framework that leverages the virtualization extensions provided by commodity hardware to securely perform live forensic analysis of potentially compromised production systems. HyperSleuth provides a trusted execution environment that guarantees four fundamental properties. First, an attacker controlling the system cannot interfere with the analysis and cannot tamper the results. Second, the framework can be installed as the system runs, without a reboot and without loosing any volatile data. Third, the analysis performed is completely transparent to the OS and to an attacker. Finally, the analysis can be periodically and safely interrupted to resume normal execution of the system. On top of HyperSleuth we implemented three forensic analysis applications: a lazy physical memory dumper, a lie detector, and a system call tracer. The experimental evaluation we conducted demonstrated that even time consuming analysis, such as the dump of the content of the physical memory, can be securely performed without interrupting the services offered by the system.


Forensic Analysis Physical Memory Virtual Machine Monitor Page Table Guest Operating System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Reading (2005)Google Scholar
  2. 2.
    Sparks, S., Butler, J.: Shadow Walker. Raising The Bar For Windows Rootkit Detection. Phrack Magazine 11(63) (2005)Google Scholar
  3. 3.
    AMD, Inc.: AMD Virtualization,
  4. 4.
    Intel Corporation: Intel Virtualization Technology,
  5. 5.
    Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware Analysis via Hardware Virtualization Extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (2008)Google Scholar
  6. 6.
    Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proceedings of the Network and Distributed Systems Security Symposium. The Internet Society, San Diego (2003)Google Scholar
  7. 7.
    Payne, B.D., Carbone, M., Sharif, M., Lee, W.: Lares: An Architecture for Secure Active Monitoring Using Virtualization. In: Proceedings of the IEEE Symposium on Security and Privacy (2008)Google Scholar
  8. 8.
    Riley, R., Jiang, X., Xu, D.: Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing. In: Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (2008)Google Scholar
  9. 9.
    Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In: Proccedings of the ACM Symposium on Operating Systems Principles. ACM, New York (2007)Google Scholar
  10. 10.
    Rutkowska, J.: Subverting Vista Kernel For Fun And Profit. Black Hat USA (2006)Google Scholar
  11. 11.
    McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: An execution infrastructure for tcb minimization. In: Proceedings of the ACM European Conference in Computer Systems (2008)Google Scholar
  12. 12.
    Seshadri, A., Luk, M., Shi, E., Perrig, A., van Doorn, L., Khosla, P.: Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms. In: Proceedings of ACM Symposium on Operating Systems Principles (2005)Google Scholar
  13. 13.
    Seshadri, A., Perrig, A., van Doorn, L., Khosla, P.: Swatt: Software-based attestation for embedded devices. In: Proceedings of the IEEE Symposium on Security and Privacy (2004)Google Scholar
  14. 14.
    Martignoni, L., Paleari, R., Bruschi, D.: Conqueror: tamper-proof code execution on legacy systems. In: Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment. LNCS. Springer, Heidelberg (2010)Google Scholar
  15. 15.
    Grawrock, D.: Dynamics of a Trusted Platform: A Building Block Approach. Intel Press, Hillsboro (2009)Google Scholar
  16. 16.
    Carbone, M., Zamboni, D., Lee, W.: Taming virtualization. IEEE Security and Privacy 6(1) (2008)Google Scholar
  17. 17.
    Smith, J.E., Nair, R.: Virtual Machines: Versatile Platforms for Systems and Processes. Morgan Kaufmann, San Francisco (2005)zbMATHGoogle Scholar
  18. 18.
    Volatile Systems LLC: Volatility,
  19. 19.
    Forrest, S., Hofmeyr, S.R., Somayaji, A., Longstaff, T.A.: A Sense of Self for Unix Processes. In: Proceedings of the IEEE Symposium on Security and Privacy (1996)Google Scholar
  20. 20.
    Butler, J., Silberman, P.: RAIDE: Rookit analysis identification elimination. In: Black Hat USA (2006)Google Scholar
  21. 21.
    Franklin, J., Seshadri, A., Qu, N., Datta, A., Chaki, S.: Attacking, Repairing, and Verifying SecVisor: A Retrospective on the Security of a Hypervisor. Technical Report, Carnegie Mellon University (2008)Google Scholar
  22. 22.
    Jiang, X., Wang, X.: “out-of-the-box” monitoring of VM-based high-interaction honeypots. In: Proceedings of the International Symposium on Recent Advances in Intrusion Detection (2007)Google Scholar
  23. 23.
    Sharif, M., Lee, W., Cui, W., Lanzi, A.: Secure In-VM Monitoring Using Hardware Virtualization. In: Proceedings of the ACM Conference on Computer and Communications Security (2009)Google Scholar
  24. 24.
    Chen, X., Garfinkel, T., Lewis, E.C., Subrahmanyam, P., Waldspurger, C.A., Boneh, D., Dwoskin, J., Ports, D.R.K.: Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. Operating Systems Review 42(2) (2008)Google Scholar
  25. 25.
    Perrig, A., Gligor, V., Vasudevan, A.: XTREC: secure real-time execution trace recording and analysis on commodity platforms. Technical Report, Carnegie Mellon University (2010)Google Scholar
  26. 26.
    Sahita, R., Warrier, U., Dewan, P.: Dynamic software application protection. Technical Report, Intel Corporation (2009)Google Scholar
  27. 27.
    Fattori, A., Paleari, R., Martignoni, L., Monga, M.: HyperDbg: a fully transparent kernel-level debugger,
  28. 28.
    King, S.T., Chen, P.M., Wang, Y.M., Verbowski, C., Wang, H.J., Lorch, J.R.: SubVirt: Implementing malware with virtual machines. In: Proceedings of IEEE Symposium on Security and Privacy (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Lorenzo Martignoni
    • 1
  • Aristide Fattori
    • 2
  • Roberto Paleari
    • 2
  • Lorenzo Cavallaro
    • 3
  1. 1.Università degli Studi di UdineItaly
  2. 2.Università degli Studi di MilanoItaly
  3. 3.Vrije Universiteit AmsterdamThe Netherlands

Personalised recommendations