Author_Institution :
Sch. of Comput. Sci. & Technol., Shandong Univ., Jinan, China
Abstract :
As the use of virtual machine environments increases, virtual machines forensics is becoming more and more important and emergent. Current forensics solutions to virtualized environments mainly focus on static data analysis, which cannot provide a complete picture of events. In this paper, a novel method used for KVM (Kernel-based Virtual Machine) virtual machine memory forensics has been proposed. By analyzing the memory image of a host machine, active virtual machines can be detected, and a complete picture of the virtual machine´s states can be also obtained, such as running processes, loaded modules, network connections, registry, system logs, user accounts, services, hook analysis info and so on. The proposed method has been proved to be more effective in machines with current mainstream CPUs and Fedora version 16-19 for both 32-bit and 64-bit.
Keywords :
data analysis; data structures; digital forensics; virtual machines; KVM virtual machine memory forensics method; VMCS; active virtual machines; data structure; host machine; kernel-based virtual machine; static data analysis; virtual machine control structure; Forensics; Linux; Operating systems; Program processors; Security; Virtual machining; Virtualization; KVM; forensics; memory analysis; virtual machine; volatile memory acquisition;
