Incident-Driven Memory Snapshot for Full-Virtualized OS Using Interruptive Debugging Techniques

Memory forensics is growing concern. For effective evidence retrieval, it is important to take snapshot timely. With proper modification of guest OS, VMM is powerful tool for timely snapshot. In this paper, we propose an incident-driven memory snapshot for full-virtualized OS using interruptive debugging techniques. We modify debug register handler to invoke snapshot facility of VMM. Software interrupt or signal are generated in register handler. Then, we can take snapshot asynchronously when debug register is changed. On guest OS, we apply three kinds of interruptive debugging techniques: driver supplied callback function, DLL injection. IDT (interruption descriptor table) is modified by driver supplied callback function, which makes it possible to cope with vulnerability exploitation. DLL injection is applied to insert security check function into a resource access function. Proposed system is implemented XEN virtual machine monitor and KVM (Kernel Virtual machine).