While static examination of computer systems is an important part of many digital forensics investigations, there are often important system properties present only in volatile memory that cannot be effectively recovered using static analysis techniques, such as offline hard disk acquisition and analysis. An alternative approach, involving the live analysis of target systems to uncover this volatile data, presents significant risks and challenges to forensic investigators as observation techniques are generally intrusive and can affect the system being observed. This paper provides a discussion of live digital forensics analysis through virtual introspection and presents a suite of virtual introspection tools developed for Xen (VIX tools). The VIX tools suite can be used for unobtrusive digital forensic examination of volatile system data in virtual machines, and addresses a key research area identified in the virtualization in digital forensics research agenda [22].
The application of virtualization software and techniques in information technology research and education has provided a foundational environment to advance the state-of-the-art in research and education in many related areas. Commercial and open source virtualization products are being used by researchers and educators to create a wide variety of virtual environments. These virtual environments facilitate systems design and development and product development as well as the testing and modeling of production and preproduction systems. As the capabilities, functionality, and stability of these products have evolved, the use of virtualization has expanded, necessitating the identification of new research areas to investigate the impacts of virtualization on digital forensics. In February 2007, a group of digital forensics researchers, educators, and practitioners gathered at the National Center for Forensic Science at the University of Central Florida for the 2007 Workshop on Virtualization in Digital Forensics to discuss these issues and develop a research and education agenda for virtualization and digital forensics. This article outlines some of the ideas generated and new research categories and areas identified at this meeting.
Abstract-Researchers and practitioners in computer forensics currently must base their analysis on information that is either incomplete or produced by tools that may themselves be compromised as a result of the intrusion. Complicating these issues are the techniques employed by the investigators themselves. If the system is quiescent when examined, most of the information in memory has been lost. If the system is active, the kernel and programs used by the forensic investigators are likely to influence the results and as such are themselves suspect. Using virtual machines and a technique called virtual machine introspection can help overcome these limits, but it introduces its own research challenges. Recent developments in virtual machine introspection have led to the identification of four initial priority research areas in virtual machine introspection including virtual machine introspection tool development, applications of virtual machine introspection to non-quiescent virtual machines, virtual machine introspection covert operations, and virtual machine introspection detection.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.