Abstract
Cloud computing models are deployed on a compute server whose hardware resources are virtualized to enable multiple virtual machines to run on a single physical system. Several types of virtualization such as bare metal and hosted virtualization are available along with virtualization modes such as full, paravirtualized, hardware-assisted and paravirtualized-hardware-assisted virtualization. Virtual machines are inaccessible from each other when the physical server hardware is abstracted in the full virtualization mode. Physical information such as hard disk drives and server memory are made available in a virtualized environment as a virtual hard disk, vCPU and guest operating system state.
Hypervisor operations generate copious amounts of data that are of value in forensic investigations of virtualized cloud environments. This chapter presents a taxonomy of hypervisor forensic tools, which provides a searchable catalog for forensic practitioners to identify specific tools that fulfill their technical requirements. A case study involving a KVM hypervisor demonstrates the evidence that can be found in a virtual machine at the virtual machine manager and host system layers.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
S. Alarifi and S. Wolthusen, Detecting anomalies in IaaS environments through virtual machine host system call analysis, Proceedings of the International Conference on Internet Technology and Secured Transactions, pp. 211–218, 2012.
R. Ando, Y. Kadobayashi and Y. Shinoda, Blink: Large-scale P2P network monitoring and visualization system using VM introspection, Proceedings of the Sixth International Conference on Networked Computing and Advanced Information Management, pp. 351–358, 2010.
S. Bahram, X. Jiang, Z. Wang, M. Grace, J. Li, D. Srinivasan, J. Rhee and D. Xu, DKSM: Subverting virtual machine introspection for fun and profit, Proceedings of the Twenty-Ninth IEEE Symposium on Reliable Distributed Systems, pp. 82–91, 2010.
F. Baiardi and D. Sgandurra, Building trustworthy intrusion detection through VM introspection, Proceedings of the Third International Symposium on Information Assurance and Security, pp. 209–214, 2007.
Z. Deng, D. Xu, X. Zhang and X. Jiang, IntroLib: Efficient and transparent library call introspection for malware forensics, Digital Investigation, vol. 9(S), pp. S13–S23, 2012.
B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin and W. Lee, Virtuoso: Narrowing the semantic gap in virtual machine introspection, Proceedings of the IEEE Symposium on Security and Privacy, pp. 297–312, 2011.
G. Dunlap, S. King, S. Cinar, M. Basrai and P. Chen, ReVirt: Enabling intrusion analysis through virtual-machine logging and replay, ACM SIGOPS Operating Systems Review, vol. 36(SI), pp. 211–224, 2002.
Y. Fu and Z. Lin, Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection, Proceedings of the IEEE Symposium on Security and Privacy, pp. 586–600, 2012.
Y. Fu and Z. Lin, Bridging the semantic gap in virtual machine introspection via online kernel data redirection, ACM Transactions on Information and System Security, vol. 16(2), article no. 7, 2013.
Y. Fu and Z. Lin, EXTERIOR: Using a dual-VM based external shell for guest OS introspection, configuration and recovery, ACM SIGPLAN Notices, vol. 48(7), pp. 97–110, 2013.
T. Garfinkel and M. Rosenblum, A virtual machine introspection based architecture for intrusion detection, Proceedings of the Network and Distributed Systems Security Symposium, pp. 191–206, 2003.
M. Graziano, A. Lanzi and D. Balzarotti, Hypervisor memory forensics, Proceedings of the Sixteenth International Workshop on Recent Advances in Intrusion Detection, pp. 21–40, 2013.
Z. Gu, Z. Deng, D. Xu and X. Jiang, Process implanting: A new active introspection framework for virtualization, Proceedings of the Thirtieth IEEE International Symposium on Reliable Distributed Systems, pp. 147–156, 2011.
K. Harrison, B. Bordbar, S. Ali, C. Dalton and A. Norman, A framework for detecting malware in the cloud by identifying symptoms, Proceedings of the Sixteenth IEEE International Enterprise Distributed Object Computing Conference, pp. 164–172, 2012.
B. Hay and K. Nance, Forensic examination of volatile system data using virtual introspection, ACM SIGOPS Operating Systems Review, vol. 42(3), pp. 74–82, 2008.
Y. Hebbal, S. Laniepce and J. Menaud, Virtual machine introspection: Techniques and applications, Proceedings of the Tenth International Conference on Availability, Reliability and Security, pp. 676–685, 2015.
L. Jia, M. Zhu and B. Tu, T-VMI: Trusted virtual machine introspection in cloud environments, Proceedings of the Seventeenth IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, pp. 478–487, 2017.
X. Jiang and D. Xu, Collapsar: A VM-based architecture for a network attack detention center, Proceedings of the Thirteenth USENIX Security Symposium, pp. 15–28, 2004.
H. Jin, G. Xiang, D. Zou, S. Wu, F. Zhao, M. Li and W. Zheng, A VMM-based intrusion prevention system in a cloud computing environment, Journal of Supercomputing, vol. 66(3), pp. 1133–1151, 2013.
S. Jones, A. Arpaci-Dusseau and R. Arpaci-Dusseau, VMM-based hidden process detection and identification using Lycosid, Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pp. 91–100, 2008.
A. Joshi, S. King, G. Dunlap and P. Chen, Detecting past and present intrusions through vulnerability-specific predicates, Proceedings of the Twentieth ACM Symposium on Operating Systems Principles, pp. 91–104, 2005.
S. King and P. Chen, SubVirt: Implementing malware with virtual machines, Proceedings of the IEEE Symposium on Security and Privacy, pp. 314–327, 2006.
K. Kourai, T. Azumi and S. Chiba, A self-protection mechanism against stepping-stone attacks for IaaS clouds, Proceedings of the Ninth International Conference on Ubiquitous Intelligence and the Ninth International Conference on Autonomic and Trusted Computing, pp. 539–546, 2012.
K. Kourai and S. Chiba, HyperSpector: Virtual distributed monitoring environments for secure intrusion detection, Proceedings of the First ACM/USENIX International Conference on Virtual Execution Environments, pp. 197–207, 2005.
M. Kumara and C. Jaidhar, Virtual machine introspection based spurious process detection in virtualized cloud computing environments, Proceedings of the International Conference on Futuristic Trends in Computational Analysis and Knowledge Management, pp. 309–315, 2015.
J. Lamps, I. Palmer and R. Sprabery, WinWizard: Expanding Xen with a LibVMI intrusion detection tool, Proceedings of the Seventh IEEE International Conference on Cloud Computing, pp. 849–856, 2014.
LibVMI Community, LibVMI: LibVMI Virtual Machine Introspection, LibVMI (libvmi.com), 2020.
S. Lim, B. Yoo, J. Park, K. Byun and S. Lee, A research on the investigation method of digital forensics for a VMware Workstation virtual machine, Mathematical and Computer Modeling, vol. 55(1-2), pp. 151–160, 2012.
L. Litty, H. Lagar-Cavilla and D. Lie, Hypervisor support for identifying covertly executing binaries, Proceedings of the Seventeenth USENIX Security Symposium, pp. 243–258, 2008.
A. Milenkoski, M. Vieira, B. Payne, N. Antunes and S. Kounev, Technical Information on Vulnerabilities of Hypercall Handlers, arXiv: 1410.1158v1, 2014.
A. Mishra, P. Matta, E. Pilli and R. Joshi, Cloud forensics: State-of-the-art and research challenges, Proceedings of the International Symposium on Cloud and Services Computing, pp. 164–170, 2012.
A. Mishra, E. Pilli and M. Govil, A taxonomy of cloud endpoint forensic tools, in Advances in Digital Forensics XIV, G. Peterson and S. Shenoi (Eds.), Springer, Cham, Switzerland, pp. 243–261, 2018.
A. More and S. Tapaswi, Virtual machine introspection: Towards bridging the semantic gap, Journal of Cloud Computing, vol. 3, article no. 16, 2014.
National Institute of Standards and Technology, Computer Forensic Tools and Techniques Catalog, Gaithersburg, Maryland (tool catalog.nist.gov), 2019.
B. Payne, M. Carbone and W. Lee, Secure and flexible monitoring of virtual machines, Proceedings of the Twenty-Third Annual Computer Security Applications Conference, pp. 385–397, 2007.
B. Payne, M. Carbone, M. Sharif and W. Lee, Lares: An architecture for secure active monitoring using virtualization, Proceedings of the IEEE Symposium on Security and Privacy, pp. 233–247, 2008.
M. Pearce, S. Zeadally and R. Hunt, Virtualization: Issues, security threats and solutions, ACM Computing Surveys, vol. 45(2), article no. 17, 2013.
D. Perez-Botero, J. Szefer and R. Lee, Characterizing hypervisor vulnerabilities in cloud computing servers, Proceedings of the International Workshop on Security in Cloud Computing, pp. 3–10, 2013.
N. Quynh and Y. Takefuji, A novel approach for a filesystem integrity monitor tool for a Xen virtual machine, Proceedings of the Second ACM Symposium on Information, Computer and Communications Security, pp. 194–202, 2007.
H. Riaz and M. Tahir, Analysis of VMware virtual machine in forensics and anti-forensics paradigms, Proceedings of the Sixth International Symposium on Digital Forensics and Security, 2018.
B. Shavers, A Discussion of Virtual Machines Related to Forensic Analysis, Forensic Focus, November 2008.
S. Thorpe, I. Ray and T. Grandison, A synchronized log cloud forensic framework, presented at the International Conference on Cybercrime, Security and Digital Forensics, 2011.
S. Thorpe, I. Ray, T. Grandison, A. Barbir and R. France, Hypervisor event logs as a source of consistent virtual machine evidence for forensic cloud investigations, Proceedings of the Twenty-Seventh Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, pp. 97–112, 2013.
S. Thorpe, I. Ray, I. Ray, T. Grandison, A. Barbir and R. France, Formal parameterization of log synchronization events within a distributed forensic compute cloud database environment, Proceedings of the Third International ICST Conference on Digital Forensics and Cyber Crime, pp. 156–171, 2012.
L. Wang, Y. Peng, W. Liu and H. Gao, VMSecurexec: Transparent on-access virus detection for virtual machine in the cloud, Proceedings of the Symposium on ICT and Energy Efficiency and Workshop on Information Theory and Security, pp. 116–121, 2012.
J. Xiao, L. Lu, H. Wang and X. Zhu, HyperLink: Virtual machine introspection and memory forensic analysis without kernel source code, Proceedings of the IEEE International Conference on Autonomic Computing, pp. 127–136, 2016.
H. Xiong, Z. Liu, W. Xu and S. Jiao, LibVMI: A library for bridging the semantic gap between guest OS and VMM, Proceedings of the Twelfth IEEE International Conference on Computer and Information Technology, pp. 549–556, 2012.
F. Yao, R. Sprabery and R. Campbell, CryptVMI: A flexible and encrypted virtual machine introspection system in the cloud, Proceedings of the Second International Workshop on Security in Cloud Computing, pp. 11–18, 2014.
F. Zhang, J. Chen, H. Chen and B. Zang, CloudVisor: Retrofitting protection of virtual machines in a multi-tenant cloud with nested virtualization, Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, pp. 203–216, 2011.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 IFIP International Federation for Information Processing
About this paper
Cite this paper
Mishra, A.K., Govil, M., Pilli, E. (2020). A Taxonomy of Hypervisor Forensic Tools. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XVI. DigitalForensics 2020. IFIP Advances in Information and Communication Technology, vol 589. Springer, Cham. https://doi.org/10.1007/978-3-030-56223-6_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-56223-6_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-56222-9
Online ISBN: 978-3-030-56223-6
eBook Packages: Computer ScienceComputer Science (R0)
