Research On Memory Forensics Technology Based On Virtual Machine Monitor

With an increasingly severe cyber security situation,digital forensics technology,especially memory forensics gains a rapid growth.However,traditional host-based memory forensics methods are easily got aware of and bypassed by malwares,and the acknowledged evidence suffers from terrible comprehensiveness and authenticity.Therefore,this thesis conducts a research on memory forensics technology based on VMM(Virtual Machine Monitor),which owns important theoretical significance and applicable value.On the basis of analyzing the security threats faced by memory data and the theories employed by current memory attack forensics technologies,this thesis builds a memory forensics model using hardware virtualization technology,which is securer,more isolated,and more transparent.Then,based on and guided by this model,this thesis studies two forensics methods for hidden memory attacks and transient memory attacks respectively.The main works and contributions of this thesis are as follows.(1)Aiming at the weak comprehensiveness,bad consistency,and inferior authenticity of the evidences extracted with existing memory forensics models,a live memory forensics model based on VMM is proposed.This model places the whole forensics process inside VMM,ensuring the authenticity and effectiveness of the evidence during its thorough circulation.A randomly extracting method for physical memory data is designed.It gets memory data located in any address range using the virtual machine introspection(VMI)mechanism,highly improving the comprehensiveness and the authenticity of the extracted evidence,and making the extracting process more flexible.And a kernel function monitoring method is designed,which monitors the call for kernel exported functions inside VMM based on the idea of instruction replacing and simulation.According to monitor the call for kernel functions,the system behavior can be dynamically distinguished.Extracting and analyzing evidences using this monitoring method as a guide can better guarantee the consistency and the effectiveness of the extracted evidence.(2)DKOM(Directly Kernel Object Manipulation)hidden processes are highly stealthy and hard to detect,and most current hidden process detection methods are suffering from the issue of TOC-TOU(Time of Check and Time of Use).Therefore,a forensics method for hidden process based on kernel object analysis is proposed.This method employs the randomly memory extracting method to extract relative data inside VMM,and reconstructs two kinds of process lists from them.The hidden process can be detected by contrasting the two lists.The kernel function monitoring method is used when detecting to weaken the TOC-TOU problem,which leads to a higher detection accuracy than periodical detecting methods.After the hidden process is located,the process‘s executable code and path of the executable file are reconstructed by analyzing the related kernel objects,to verify the malicious behaviors of the process,and to trace and track it.According to the experimental results,this method can detect hidden processes with high accuracy.(3)Existing memory attack forensics methods work with bad instantaneity and huge performance overhead,thus a real-time attack forensics method based on EPT(Extended Page Table)access controlling is proposed.It sets the access privilege of kernel data regions and user data regions frequently exploited by memory attacks with the help of EPT,and instantly follows the change of pages using the kernel function monitoring method.Violated accesses aiming at these monitored pages will trigger EPT violation,then the system will get trapped in VMM.According to this,the method can intercept attacks right after it gets executed then conduct forensics on the attacker with the randomly memory extracting method.MTF(Monitored Trap Flag)-trap mechanism is employed timely to reset the access privilege of these pages after each violated access,to make sure that the real-time forensics mechanism can work normally and continually.According to the experimental results,this method can instantly intercept memory attacks,and the performance overhead it brings is lower than current ones.