A KVM Virtual Machine Memory Forensics Method Based on VMCS

Author

Shuhui Zhang ; Lianhai Wang ; Xiaohui Han

Author_Institution

Sch. of Comput. Sci. & Technol., Shandong Univ., Jinan, China

fYear

2014

fDate

15-16 Nov. 2014

Firstpage

657

Lastpage

661

Abstract

As the use of virtual machine environments increases, virtual machines forensics is becoming more and more important and emergent. Current forensics solutions to virtualized environments mainly focus on static data analysis, which cannot provide a complete picture of events. In this paper, a novel method used for KVM (Kernel-based Virtual Machine) virtual machine memory forensics has been proposed. By analyzing the memory image of a host machine, active virtual machines can be detected, and a complete picture of the virtual machine´s states can be also obtained, such as running processes, loaded modules, network connections, registry, system logs, user accounts, services, hook analysis info and so on. The proposed method has been proved to be more effective in machines with current mainstream CPUs and Fedora version 16-19 for both 32-bit and 64-bit.

Keywords

data analysis; data structures; digital forensics; virtual machines; KVM virtual machine memory forensics method; VMCS; active virtual machines; data structure; host machine; kernel-based virtual machine; static data analysis; virtual machine control structure; Forensics; Linux; Operating systems; Program processors; Security; Virtual machining; Virtualization; KVM; forensics; memory analysis; virtual machine; volatile memory acquisition;

fLanguage

English

Publisher

ieee

Conference_Titel

Computational Intelligence and Security (CIS), 2014 Tenth International Conference on

Conference_Location

Kunming

Print_ISBN

978-1-4799-7433-7

Type

conf

DOI

10.1109/CIS.2014.72

Filename

7016978