Hypervisor-assisted Atomic Memory Acquisition in Modern Systems

Kiperberg, Michael; Leon, Roee; Resh, Amit; Algawi, Asaf; Zaidenberg, Nezer

doi:10.5220/0007566101550162

dc.contributor.author	Kiperberg, Michael
dc.contributor.author	Leon, Roee
dc.contributor.author	Resh, Amit
dc.contributor.author	Algawi, Asaf
dc.contributor.author	Zaidenberg, Nezer
dc.contributor.editor	Mori, Paolo
dc.contributor.editor	Furnell, Steven
dc.contributor.editor	Camp, Olivier
dc.date.accessioned	2019-07-25T05:09:06Z
dc.date.available	2019-07-25T05:09:06Z
dc.date.issued	2019
dc.identifier.citation	Kiperberg, M., Leon, R., Resh, A., Algawi, A., & Zaidenberg, N. (2019). Hypervisor-assisted Atomic Memory Acquisition in Modern Systems. In P. Mori, S. Furnell, & O. Camp (Eds.), <i>ICISSP 2019 : Proceedings of the 5th International Conference on Information Systems Security and Privacy, Volume 1</i> (pp. 155-162). SCITEPRESS Science And Technology Publications. <a href="https://doi.org/10.5220/0007566101550162" target="_blank">https://doi.org/10.5220/0007566101550162</a>
dc.identifier.other	CONVID_30725172
dc.identifier.uri	https://jyx.jyu.fi/handle/123456789/65108
dc.description.abstract	Reliable memory acquisition is essential to forensic analysis of a cyber-crime. Various methods of memory acquisition have been proposed, ranging from tools based on a dedicated hardware to software only solutions. Recently, a hypervisor-based method for memory acquisition was proposed (Qi et al., 2017; Martignoni et al., 2010). This method obtains a reliable (atomic) memory image of a running system. The method achieves this by making all memory pages non-writable until they are copied to the memory image, thus preventing uncontrolled modification of these pages. Unfortunately, the proposed method has two deficiencies: (1) the method does not support multiprocessing and (2) the method does not support modern operating systems featuring address space layout randomization (ASLR). We describe a hypervisor-based memory acquisition method that solves the two aforementioned deficiencies. We analyze the memory usage and performance of the proposed method.	fi
dc.format.extent	738
dc.format.mimetype	application/pdf
dc.language.iso	eng
dc.publisher	SCITEPRESS Science And Technology Publications
dc.relation.ispartof	ICISSP 2019 : Proceedings of the 5th International Conference on Information Systems Security and Privacy, Volume 1
dc.rights	In Copyright
dc.subject.other	live forensics
dc.subject.other	memory forensics
dc.subject.other	memory acquisition
dc.subject.other	virtualization
dc.subject.other	reliability
dc.subject.other	atomicity
dc.subject.other	integrity of a memory snapshot
dc.subject.other	forensic soundness
dc.title	Hypervisor-assisted Atomic Memory Acquisition in Modern Systems
dc.type	conference paper
dc.identifier.urn	URN:NBN:fi:jyu-201907243671
dc.contributor.laitos	Informaatioteknologian tiedekunta	fi
dc.contributor.laitos	Faculty of Information Technology	en
dc.contributor.oppiaine	Tietotekniikka	fi
dc.contributor.oppiaine	Mathematical Information Technology	en
dc.type.uri	http://purl.org/eprint/type/ConferencePaper
dc.date.updated	2019-07-24T12:15:08Z
dc.relation.isbn	978-989-758-359-9
dc.type.coar	http://purl.org/coar/resource_type/c_5794
dc.description.reviewstatus	peerReviewed
dc.format.pagerange	155-162
dc.type.version	acceptedVersion
dc.rights.copyright	© 5th International Conference on Information Systems Security and Privacy by SCITEPRESS
dc.rights.accesslevel	openAccess	fi
dc.type.publication	conferenceObject
dc.relation.conference	International Conference on Information Systems Security and Privacy
dc.subject.yso	tietoturva
dc.subject.yso	muistit (tietotekniikka)
dc.subject.yso	virtualisointi
dc.format.content	fulltext
jyx.subject.uri	http://www.yso.fi/onto/yso/p5479
jyx.subject.uri	http://www.yso.fi/onto/yso/p12658
jyx.subject.uri	http://www.yso.fi/onto/yso/p22009
dc.rights.url	http://rightsstatements.org/page/InC/1.0/?language=en
dc.relation.doi	10.5220/0007566101550162
dc.type.okm	A4