Title :
Memory dump and forensic analysis based on virtual machine
Author :
Liu Guangqi ; Wang Lianhai ; Zhang Shuhui ; Xu Shujiang ; Zhang Lei
Author_Institution :
Shandong Comput. Sci. Center, Shandong Provincial Key Lab. of Comput. Network, Jinan, China
Abstract :
A memory dump and forensic analysis algorithm is proposed based on virtual machine in the paper, including the virtual machine process search module, virtual machine memory dump module and virtual machine memory forensics analysis modules. First of all, the virtual machine process search module by traversal searching all the running processes in system, according to the process owner user to identify the process of the virtual machine. And then, using the virtual machine memory dump module to dump the memory of the virtual machine process and the memory files is occupied. Finally, using the memory forensics analysis module to analyze accessed memory files, obtain evidence of the virtual machine information, such as process information, network information, user information, etc. This method can neither rewriting memory of the virtual machine and the system, ensure the integrity and efficiency of the virtual machine memory and forensic analysis, at the same time the dump memory files can be repeated analysis, guarantee the credibility of forensic results.
Keywords :
digital forensics; virtual machines; network information; process information; traversal searching; user information; virtual machine memory dump module; virtual machine memory forensics analysis modules; virtual machine process search module; Algorithm design and analysis; Computers; Forensics; Linux; Memory management; Real-time systems; Virtual machining; Forensic Analysis; Memory Dump; Process information; Virtual Machine;
Conference_Titel :
Mechatronics and Automation (ICMA), 2014 IEEE International Conference on
Conference_Location :
Tianjin
Print_ISBN :
978-1-4799-3978-7
DOI :
10.1109/ICMA.2014.6885969
