| With the popularization and rapid development of computing technology, private imformation and business secrets are digitalized. Cyber-attacks are spreading and become stealthier than ever to evacuate from public notification and legal sanctions. To maximize the chance in stealing invaluable data and computing resources, hiding is a very promising technique. Many individuals and even some business groups are developing stealthy intrusion technologies to meet their sinister motives.In order to stop the crime wave, memory forensic methods acquire evidences in two steps: memory acquisition and then analysis. The so called after-the-fact analysis is time consuming and powerless. New tools are introduced to diagnose system directely. However, most of them are kernel based and easy to be detected and confused. Virtualization technology provides a much more transparent and privileged analysis environment, but it lacks agility in forensic scene.So we propose a revolutionary memory forensic framework. It can build up a virtualization environment on-the-fly. The operating system will be migrated into virtual machine without suspension, so the platform based forensic methods can acquire evidences from hypervisor level. In this paper, there are two technologies proposed based on the platform. They are focusing on acquiring accurate data and system behavior, respectively. The theory is to guarantee data accuracy in multi-viewpoint and analysis memory behavior in a para-synchronously approach. The framework and technologies are implemented based on hardware virtualization without any modifications to the OS. The platform is uninstallable in order to keep system’s usability after forensics. In order to defeat anti-forensic techniques, the framework keeps transparent by applying memory isolation and encrypted interfaces. In the experiments, we proved the validity of our forensic technologies and framework. They are able to get correct and integrated evidences with acceptable overhead and memory usage. |
PDF Full Text Request