A Virtualization Based Monitoring System for Mini-intrusive Live Forensics

Xianming Zhong, Chengcheng Xiang, Miao Yu, Zhengwei Qi, Haibing Guan
2013 International journal of parallel programming  
Digital evidences hold great significance for governing cybercrime. Unfortunately, previous acquisition tools were troubled by either the shortage of suspending the target system's running or the security of the acquisition tools themselves, thus the correctness and accuracy of their obtained evidences cannot be guaranteed. In this paper, we propose VAIL, a novel virtualization based monitoring system for miniintrusive live forensics, which employs hardware assisted virtualization technique to
more » ... ather integrated information from the native computer system. Meanwhile, the execution of the target system will not be interrupted and VAIL keeps immune to attacks from the target system. We have implemented a proof-of-concept prototype that has been validated with a Windows guest system. The experimental results show that VAIL can obtain comprehensive digital evidences from the target system as designed, including the CPU state, the physical memory content, and the I/O activities. And on average, VAIL only introduces 4.21% performance overhead to the target system, which proves that VAIL is practical in real commercial environments.
doi:10.1007/s10766-013-0285-2 fatcat:43fmjflmybdxbiiuao7vhccjdq