Research And Realization Of Digital Forensics For Virtual Machine In Cloud Based On Virtual Machine Introspection

Virtualization technology can integrate the underlying physical computing resources into one running environment and realize the logical abstraction and reunification of IT resources.Therefore,virtualization is one of the fundamental technologies in cloud computing.Virtualized environment is confronted with numerous security issues,especially more powerful and more versatile malware.Digital forensic technology aims at searching for digital evidence at the cyber crime scenes and providing support for solving computer crimes.Virtual machine memory dump files and virtual disk files reflect the true state of the virtual machine.As crucial evidence of forensics,their security and integrity have a vital role.According to the characteristics of virtualization,leveraging virtual machine introspection(VMI)for digital forensics has many advantages.Thus the security of virtualized environment in cloud and the research of digital forensics utilizing VMI hold significant value to virtualization security and cloud computing development.This paper first introduces the classification of virtualization and mainstream virtualization technologies.Then,it studies VMI and summarizes its implementation and research status.Next,the paper analyzes existing threats in virtualized environment and sums up corresponding coping method.In the following section,it briefly talks about digital forensic technology,as well as traits and detection of rootkit and virus.This paper explores the use of open source tools,such as memory forensic analysis tools Volatility,disk analysis tool SleuthKit and malware identification tool YARA.The paper explores the intrusion traces and detection of rootkit and virus.VMI can obtain internal information about virtual machines from outside.Memory dump files accurately reveals internal status of virtual machines and can be used for analysis.Virtual machine file retains the virtual machine disk for key evidence.According to these,we designed and implemented the digital forensic analysis system based on VMI for virtual machines.The system consists of four modules on the basis of digital forensics procedure.The digital forensics process mainly includes the analysis of memory dump file and virtual disk file.At the end of this paper,we built a virtualized environment using KVM and deployed relevant tools.We also booted up several virtual machines for different tests.The experimental results showed that the system can functionally detect the virtual machine abnormality and there exists performance differences caused by different test cases in different situations.