Yingxin Cheng,Xiao Fu,Xiaojiang Du,Bin Luo,Mohsen Guizani

DOI: https://doi.org/10.1016/j.ins.2016.07.019

IF: 8.1

2016-01-01

Information Sciences

Abstract:The results of memory forensics can not only be used as evidence in court but are also beneficial for analyzing vulnerability and improving security. Thus, memory forensics has been widely used in many fields, including cloud security. Traditional memory forensics, usually an after-the-fact method, is time-consuming and often loses important transient information. Thus, live methods, which investigate memory directly, are presented. However, most of them are kernel based and easy to detect or confuse. Although virtualization technology can overcome these shortages, it must be preinstalled and has high cost. To solve these problems, we propose a lightweight live memory forensic framework based on hardware virtualization. It can build a virtualization environment on-the-fly. The operating system will be migrated to the virtual machine without termination or modifications. Then, the forensic methods can acquire and analyze evidence at the hypervisor level. Two novel forensic methods are proposed to verify the effectiveness of the framework. They focus on acquiring accurate data and system behavior, respectively. The main ideas are guaranteeing data accuracy in multi-view extraction and analyzing memory behavior in a para-synchronous style. Experiments have proved that these methods are able to obtain reliable and integrated evidence at an acceptable cost.

Xiaolu Zhang,Liang Hu,Shinan Song,Zhenzhen Xie,Xiangyu Meng,Kuo Zhao

DOI: https://doi.org/10.4304/jnw.9.3.645-652

2014-01-01

Abstract:In this paper, we present an integrated memory forensic solution for multiple Windows memory images. By calculation, the method can find out the correlation degree among the processes of volatile memory images and the hidden clues behind the events of computers, which is usually difficult to be obtained and easily ignored by analyzing one single memory image and forensic investigators. In order to test the validity, we performed an experiment based on two hosts' memory image which contains criminal incidents. According to the experimental result, we find that the event chains reconstructed by our method are similar to the actual actions in the criminal scene. Investigators can review the digital crime scenario which is contained in the data set by analyzing the experimental results. This paper is aimed at finding the valid actions with illegal attempt and making the memory analysis not to be utterly dependent on the operating system and relevant experts.

Zheng Song,Bo Jin,Yongqing Sun

DOI: https://doi.org/10.1007/978-3-642-18134-4_15

2011-01-01

Abstract:With the popularity of virtual machines, forensic investigators are challenged with more complicated situations, among which discovering the evidences in virtualized environment is of significant importance. This paper mainly analyzes the file suffixed with .vmem in VMware Workstation, which stores all pseudo-physical memory into an image. The internal file structure of .vmem file is studied and disclosed. Key information about processes and threads of a suspended virtual machine is revealed. Further investigation into the Windows XP SP3 heap contents is conducted and a proof-of-concept tool is provided. Different methods to obtain forensic memory images are introduced, with both advantages and limits analyzed. We conclude with an outlook.

guofeng wang,chuanyi liu,jie lin

DOI: https://doi.org/10.1007/978-3-662-43908-1_4

2014-01-01

Abstract:Modern malware attacks are designed intricately, transport data encrypted, so monitoring network traffic can't solve such attacks completely. Therefore, network monitoring and analysis need to be combined with system behavior monitoring and memory analysis, and the latter is more important. In this article we propose a hardware-based virtualization prototype system, combined with memory analysis tools to monitor and counterwork malicious attacks actively. The system is based on Xen virtualization platform, which monitoring virtual machine behavior by capturing specific events. The events are triggered by some specific behaviors associated with malicious software monitoring, such as executing privileged instruction, system calls, memory writing, etc. When necessary, we can dump the memory of the virtual machine, use memory analysis tools for detailed analysis, so as to achieve the purpose of monitoring and counterworking.

Xianming Zhong,Chengcheng Xiang,Miao Yu,Zhengwei Qi,Haibing Guan

DOI: https://doi.org/10.1007/s10766-013-0285-2

2015-01-01

International Journal of Parallel Programming

Abstract:Digital evidences hold great significance for governing cybercrime. Unfortunately, previous acquisition tools were troubled by either the shortage of suspending the target system's running or the security of the acquisition tools themselves, thus the correctness and accuracy of their obtained evidences cannot be guaranteed. In this paper, we propose VAIL, a novel virtualization based monitoring system for mini-intrusive live forensics, which employs hardware assisted virtualization technique to gather integrated information from the native computer system. Meanwhile, the execution of the target system will not be interrupted and VAIL keeps immune to attacks from the target system. We have implemented a proof-of-concept prototype that has been validated with a Windows guest system. The experimental results show that VAIL can obtain comprehensive digital evidences from the target system as designed, including the CPU state, the physical memory content, and the I/O activities. And on average, VAIL only introduces 4.21 % performance overhead to the target system, which proves that VAIL is practical in real commercial environments.

Ying Wang,Chunming Hu,Bo Li

DOI: https://doi.org/10.1109/hase.2011.41

2011-01-01

Abstract:Recently, "rootkit" becomes a popular hacker malware on the Internet, which controls the hosts on the Internet by hiding itself, and raises a serious security threat. Existing host-based and hardware-based solutions have some disadvantages, such as hardware overhead and being discovered by root kits, where the development of virtualization technology provides a better solution to avoid those. Virtual machine monitor has the highest authority on the virtual machine, and has the right to control the activities in the virtual machine without being found by root kits in the virtual machines. We propose VM Detector based on this hardware virtualization technology, using multi-view detection mechanism, to detect hidden processes inside the virtual machine on many aspects, then to improve the virtual machine's security. Through several experiments, VM Detector carried on the process detection effectively, and introduced less than 10% performance overhead.

Liang Hu,Shinan Song,Xiaolu Zhang,Zhenzhen Xie,Xiangyu Meng,Kuo Zhao

DOI: https://doi.org/10.4304/jnw.8.11.2512-2519

2013-01-01

Abstract:To explain the necessity of comprehensive and automatically analysis process for volatile memory, this paper summarized ordinarily analyzing methods and their common points especially for concerned data source. Then, a memory analysis framework Volatiltiy-2.2 and statistical output file size are recommended. In addition, to address the limitation of plug-ins classification in analyzing procedure, a user perspective classify is necessary and proposed. Furthermore, according to target data source differences on the base of result data set volume and employed relational method is introduced for comprehensive analysis guideline procedure. Finally, a test demo including DLLs loading order list analyzing is recommend, in which DLL load list is regard as different kind of characteristics typical data source with process and convert into process behavior fingerprint. The clustering for the fingerprint is employed string similar degree algorithm model in the demo, which has a wide range applications in traditional malware behavior analysis, and it is proposed that these methods also can be applied for volatile memory

Yingxin Cheng,Xiao Fu,Bin Luo,Rui Yang,Hao Ruan

DOI: https://doi.org/10.1007/978-3-319-13257-0_15

2014-01-01

Abstract:In intrusion forensics, it is difficult to find the evidences about who placed the hooks and how these hooks were placed simply by analyzing the memory dump. That’s because such behavior is transient and the snapshot of memory usually doesn’t contain enough information about it. Lack of this information will cause an uncompleted chain of evidence. Although dynamic analysis can trace this behavior by instruction-level analysis, this technique is slow and inconvenient in real forensic cases. And many investigated systems do not run in the virtualization environment that dynamic analysis needed.

Miao Yu,Zhengwei Qi,Qian Lin,Xianming Zhong,Bingyu Li,Haibing Guan

DOI: https://doi.org/10.1016/j.diin.2012.04.002

2012-01-01

Digital Investigation

Abstract:Current live acquisition systems can obtain memory content of a running system, but they either fail to provide accurate native system physical memory acquisition at the given time point or require suspending the machine and altering the execution environment drastically. To address this issue, we propose Vis, a lightweight virtualization approach to provide accurate retrieval of physical memory content without disturbing the execution of the target native system. Our experimental results indicate that Vis is capable of reliably retrieving an accurate system image. Moreover, Vis accomplishes live acquisition in around 100 s, where previous remote live acquisition tools take hours and static acquisition takes days. On average, the performance reduction for the target system is 9.62%. (C) 2012 Elsevier Ltd. All rights reserved.

Xiaolu Zhang,Liang Hu,Shinan Song,Zhenzhen Xie,Xiangyu Meng,Kuo Zhao

DOI: https://doi.org/10.4304/jnw.8.9.1943-1949

2013-01-01

Journal of Networks

Abstract:For the rapidly development of network and distributed computing environment, it make researchers harder to do analysis examines only from one or few pieces of data source in persistent data-oriented approaches, so as the volatile memory analysis either. Therefore, mass data automatically analysis and action modeling needs to be considered for reporting entire network attack process. To model multiple volatile data sources situation can help understand and describe both thinking process of investigator and possible action step for attacker. This paper presents a Game model for multisource volatile data and applies it to main memory images analysis with the definition of space-time feature for volatile element information. Abstract modeling allows the lessons gleaned in performing intelligent analysis, evidence filing and automating presentation. Finally, a test demo based on the model is also present to illustrate the whole procedure

Zhengwei Qi,Chengcheng Xiang,Ruhui Ma,Jian Li,Haibing Guan,David S. L. Wei

DOI: https://doi.org/10.1109/tcc.2016.2535295

IF: 5.697

2017-01-01

IEEE Transactions on Cloud Computing

Abstract:Live forensics is an important technique in cloud security but is facing the challenge of reliability. Most of the live forensic tools in cloud computing run either in the target Operating System (OS), or as an extra hypervisor. The tools in the target OS are not reliable, since they might be deceived by the compromised OS. Furthermore, traditional general purpose hypervisors are vulnerable due to their huge code size. However, some modules of a general purpose hypervisor, such as device drivers, are indeed unnecessary for forensics. In this paper, we propose a special purpose hypervisor, called ForenVisor, which is dedicated to reliable live forensics. The reliability is improved in three ways: reducing Trusted Computing Base (TCB) size by leveraging a lightweight architecture, collecting evidence directly from the hardware, and protecting the evidence and other sensitive files with Filesafe module. We have implemented a proof-of-concept prototype on the Windows platform, which can acquire the process data, raw memory, and I/O data, such as keystrokes and network traffic. Furthermore, we evaluate ForenVisor in terms of code size, functionality, and performance. The experiment results show that ForenVisor has a relatively small TCB size of about 13 KLOC, and only causes less than 10 percent performance reduction to the target system. In particular, our experiments verify that ForenVisor can guarantee that the protected files remain untampered, even when the guest OS is compromised by viruses, such as ‘ILOVEYOU’ and Worm.WhBoy. Also, our system can be loaded as a hypervisor without needing to pause the target OS. This allows it to not only avoid destructing but also to gather the live evidence of the target OS. We also posted the source code of ForenVisor on Github.

Lin Chen,Bo Liu,Jing Zhang,Huaping Hu

DOI: https://doi.org/10.1109/iccsnt.2011.6182127

2011-01-01

Abstract:Recently, VMM-based anti-malware systems have become a hot research topic in finding ways of overcoming the fundamental limitations of traditional host-based anti-malware systems, which are likely to be deceived and attacked by malicious codes. Guest system semantic views (e.g., files, processes) must be reconstructed to overcome the semantic gap challenge. As a result of frequent switching between processes, process reconstruction based on CR3 register causes many VM EXIT events and some performance losses. In the current study, an advanced method to reconstruct processes is presented. Utilizing the features of hardware virtualization technology, this method reduces VM EXIT events caused by process switching; thus, the efficiency of process reconstruction is improved. Experiments show that the method can reduce nearly 85% of VM EXIT events caused by process switching.

Yuhang Gao,Tianjie Cao

2010-01-01

Abstract:Physical memory is a useful information source in a forensic examination, but the research on memory forensics is still in the early stage. Once the processes are located, computer forensic personnel can acquire the opened files, the network connections via further processing. This paper proposed methods of searching for process descriptors in Linux dump file. Our experiments shows that our methods are able to locate hidden, terminated and even processes before rebooted under some circumstances. An analysis of performance between different methods is made and results show the brute force method find the most while method based on slub allocator is highly efficient. Besides, our experiments shows a process survives from minutes to hours after it is terminated in Linux 2.6.23 and slub allocation obviously has an impact on memory forensics. These methods proposed to searching for processes not only can apply to Linux memory forensics in locating hidden, exiting processes, but also can be of interest to the malware analyzing. Keywords-memory dump file; Linux memory analysis; digital evidences; file extraction

Feng Wang,Liang Hu,Jiejun Hu,Kuo Zhao

DOI: https://doi.org/10.1007/s11042-015-2798-8

2015-01-01

Abstract:Digital forensic data from volatile system memory possesses the following distinctive features: volatility, transience, phased stability, complexity, relevance of collected data, and phased behavior predictability. We present a computer forensic analysis model (CERM) for the reconstruction of a chain of evidence of volatile memory data. CERM frees analysts from being confined to the traditional analysis approach of digital forensic data that requires single evidence-oriented analysis. In CERM, they can focus on higher abstract levels involving the relationships of independent pieces of evidence and analyze patterns to construct a chain of evidence from the perspective of Evidence Law. In addition to CERM, we have designed a correlation analysis algorithm based on time series. Experimental tests have been conducted to verify the established model and designed algorithm. The experimental result shows that CERM is feasible and efficient, thus providing a new analysis perspective for digital forensic data from volatile system memory.

Guang-lu YAN,Sen-lin LUO,Wang-tong LIU,Li-min PAN

DOI: https://doi.org/10.15918/j.tbit1001-0645.2018.03.014

2018-01-01

Abstract:Executing malicious code via hidden process is a major way to carry out information attack.At present,hidden process detection methods based on In-VM model of virtualization platform can be attacked by circumventing and tampering with the relative data.To solve this problem,a highly reliable In-VM hidden process detection method was proposed.Firstly,an In-VM model and the memory protection mechanism of virtualization were developed to protect its detection code and relative kernel data from being maliciously changed.Secondly,by hijacking the system transfer function exactly and detecting the hidden process with a cross-view method, the detection algorithm was ensured from being circumvented.Finally,several typical Rootkits were built and chosen in experiments.The results show that,the proposed method can detect all kinds of hidden processes.Its detection code and relative kernel data cannot be tampered with and its detection algorithm and memory protection mechanism cannot be circumvented.And the developed memory protection mechanism has better performance in the system,showing a higher reliability and stronger pragmatic value.

YANG Feng,JIANG Hui,ZHUGE Jian-wei,DUAN Hai-xin

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.08.040

2012-01-01

Abstract:Due to the advantages of resources utilization,management and isolation,Virtualization Technology has been widely used in the areas of virtual server,malware analysis and cloud computing platform.The malicious code writers and security researchers start a new game in Virtualization Technology,and how to detect the presence of virtual environments becomes a hot research topic.This paper,introduces the significance of Virtual Machine Environment(VME) Detection Methods,uses examples to describe the principles and methods of local and remote VME detection,makes a summary of VME Detection Methods,indicates the direction of Virtualization transparency,analyses and discusses the future trend.

Xiao Fu,Xiaojiang Du,Bin Luo,Jin Shi,Zhitao Guan,Yuhua Wang

DOI: https://doi.org/10.1109/infcomw.2015.7179370

2015-01-01

Abstract:Nowadays in order to process and store many kinds of multimedia data, the storage capability of memory has grown greatly. Moreover the widespread use of mobile devices and cloud computing has made criminal investigators often face a lot of memory dumps. They have to deal with a large quantity of memory data and complex OS data structures which they have little knowledge of. How to analyze memory evidence automatically in order to find hidden criminal behavior and reconstruct the criminal scenario in an understandable way has become an important problem. Current memory analysis methods usually aim at recovering certain data structures. The illegal behavior identification and the event reconstruction are still completed manually by investigators. This paper presents a novel method to correlate processes for automatic memory evidence analysis. Through analyzing key OS data structures and utilizing a clustering algorithm, it can discover the relationships among processes. And by describing these relationships as correlation graphs, our method can display evidence in a high semantic level. Some experiments have proved that these correlation graphs can help investigators find hidden criminal behavior and reconstruct the criminal scenarios.

Chen Lin,Liu Bo,Hu Huaping,Xiao Fengtao,Zhang Jing

2011-01-01

China Communications

Abstract:Security tools are rapidly developed as network security threat is becoming more and more serious. To overcome the fundamental limitation of traditional host-based anti-malware system which is likely to be deceived and attacked by malicious codes, VMM-based anti-malware systems have recently become a hot research field. In this article, the existing malware hiding technique is analyzed, and a detecting model for hidden process based on "In-VM" idea is also proposed. Based on this detecting model, a hidden process detection technology which is based on HOOK Swap Context on the VMM platform is also implemented successfully. This technology can guarantee the detecting method not to be attacked by malwares and also resist all the current process hiding technologies. In order to detect the malwares which use remote injection method to hide themselves, a method by hijacking sysenter instruction is also proposed. Experiments show that the proposed methods guarantee the isolation of virtual machines, can detect all malware samples, and just bring little performance loss.

Dongyang Zhan,Lin Ye,Binxing Fang,Hongli Zhang,Xiaojiang Du

DOI: https://doi.org/10.1007/s00500-017-2745-x

2017-01-01

Abstract:Kernel control-flow integrity (CFI) of virtual machines is very important to cloud security. VMI-based dynamic tracing and analyzing methods are promising options for checking kernel CFI in cloud. However, the CFI monitors based on tracing always work at instruction or branch level and result in serious virtual machine performance degradation. To meet the performance requirements in the cloud, we present a page-level dynamic VMI-based kernel CFI checking solution. We trace VM kernel execution at page level, which means that the in-page instruction execution cannot trigger our monitor. As a result, the tracing overhead can be greatly reduced. Based on page-level execution information, we propose two policies to describe the kernel control-flow so as to build the secure kernel control-flow database in the learning stage. In the monitoring stage, we compare runtime execution information with the secure database to check kernel CFI. To further reduce the monitoring overhead, we propose two performance optimization strategies. We implement the prototype on Xen and leverage hardware events to trace VM memory page execution. Then, we evaluate the effectiveness and performance of the prototype. The experimental results prove that our system has enough detection capability and the overhead is acceptable.

Xiao Wang,Jian Biao Zhang,Ai Zhang,Jin Chang Ren

DOI: https://doi.org/10.3934/mbe.2019132

2019-03-26

Abstract:The promotion of cloud computing makes the virtual machine (VM) increasingly a target of malware attacks in cybersecurity such as those by kernel rootkits. Memory forensic, which observes the malicious tracks from the memory aspect, is a useful way for malware detection. In this paper, we propose a novel TKRD method to automatically detect kernel rootkits in VMs from private cloud, by combining VM memory forensic analysis with bio-inspired machine learning technology. Malicious features are extracted from the memory dumps of the VM through memory forensic analysis method. Based on these features, various machine learning classifiers are trained including Decision tree, Rule based classifiers, Bayesian and Support vector machines (SVM). The experiment results show that the Random Forest classifier has the best performance which can effectively detect unknown kernel rootkits with an Accuracy of 0.986 and an AUC value (the area under the receiver operating characteristic curve) of 0.998.