Design And Implementation Of Virtual Computer Memory Forensics System

With the rapid development of cloud computing and other virtual machine technologies,more and more business applications will be transferred to the virtual computing environment,network attacks against the virtual environment are increasingly prominent,and more and more malicious trojans are found to be active in the virtual environment.Therefore,anti-theft detection and forensics research for virtual computing environment is extremely urgent.However,due to the memorization and concealment of cyber attacks in virtual environments,some key digital evidences only exist in physical memory or temporarily stored in page exchange files,which makes the traditional file system-based detection and forensics unable to deal with effectivelyThe memory forensics system for virtual computer designed and implemented in this paper can make up for the existing memory forensics tools software can not achieve effective forensics for Trojan horse with anti-forensics function and for virtual computer memory integrity forensics and restore problems.Taking the theft and forensics of malicious code(especially Trojan horse program)in the virtualization system as the detection target,the acquired volatile data of the virtualization system were quickly located,deeply detected and analyzed,so as to achieve the working target of real-time analysis,clue discovery and attack behavior recurrence.After preliminary research,the project has overcome some key technologies such as virtual memory format cracking,complete acquisition of fragment memory in any region,data structure and evidence information mapping,and evidence information extraction technology,and strives to develop a prototype system that meets the business requirements through the implementation of this project.Design research focuses on the existing virtual computer memory data format based on the study of the crack,and behavioral mode of Trojan virtual machine Trojan activity specific research,through the analysis of the process information,the registry information analysis,key recovery,network connection,executable file analysis and system status information analysis and so on six kind of technology,rapid positioning and depth detection,correlation analysis,in order to realize the real-time analysis,found clues,aggression is evidence collection target again.The main research content includes: obtain the kernel memory area object by software method,and analyze and reconstruct the memory data with the help of the kernel data structure and related mechanism of the operating system.Therefore,it is necessary to study the evidence model of volatility in virtual computing environment(VMware Workstation/VMware vSphere).Through reverse cracking,complete memory acquisition and transfer in any region can be realized,and evidential information can be extracted and analyzed.The characteristics of Trojan horse in implantation,concealment,latent,activation,loading,operation and communication stage in the virtual computing environment,as well as the anti-forensics principle and its behavior fingerprint taken by the Trojan horse in the virtual machine environment,establish the Trojan horse behavior trace discovery model.