A Live Forensics System Based On Virtualization Technology

With the rapid development of computer science and technology, ashocking scale of computer related crimes is introduced invisibly, whichbrings huge economic losses worldwide every year. Obtaining digitalevidences is the key to crack computer related crimes, so during recentyears computer forensics has become a popular area for researchers. Howto do computer forensics safely and efficiently is one of emergencies inthis area.Methods of computer forensics can be divided into two main groups:static forensics and live forensics. Static forensics focuses on digitalevidences that are stored in permanent devices, and it should stop theexecution of the target computer system. Live forensics breaks thislimitation and extends the scope of collected digital evidences. But it stillfaces some problems like that the safety of live forensics tools isthreatened and in some cases, the execution of the target computer systemwill be interrupted.In this paper, we propose VAIL, a live forensics system based onhardware assisted virtualization technology. Main innovations are:1) Withthe silent virtualization technology, the installation of our system will notinterrupt the execution of the target computer system.2) We design thepara-through driver architecture to reduce the size of the hypervisor andthe possibility of security vulnerability as more as possible.3) VAILsupports forensics for the whole computer system, which includes CPUforensics, memory forensics and I/O forensics.Among them, CPU forensics leverages Intel VT-x technology to saveregisters of the guest operating system in the VMCS structure when a VM Exit event happens, while memory forensics is implemented by the EPTviolation handler. I/O forensics is divided into the programmed I/O,memory mapped I/O and direct memory access. And VAIL does forensicsfor them respectively.At last, by a series of experiments, this paper proves that VAIL is ableto achieve computer forensics for different activities of the target computersystem. Compared with the native environment, the performance overheadis very small, which is4.21%on average for CPU-sensitive benchmarks.And the bandwidth loss is0.29%~1.52%, while the throughput reduction is0.22%for real network applications.