Visible to the public "Execution Time Measurement of Virtual Machine Volatile Artifacts Analyzers"Conflict Detection Enabled

Title"Execution Time Measurement of Virtual Machine Volatile Artifacts Analyzers"
Publication TypeConference Paper
Year of Publication2015
AuthorsA. K. M. A., J. C. D.
Conference Name2015 IEEE 21st International Conference on Parallel and Distributed Systems (ICPADS)
Date PublishedDec
ISBN Number978-0-7695-5785-4
Accession Number15720953
Keywordsadvanced persistent threat, advanced persistent threats, captured memory dump analysis, digital forensics, execution time measurement, hypervisor, intrusion detection system, invasive software, Kernel, LibVMI open source tool, live virtual machine RAM dump, Malware, memory forensic analysis, memory forensic analysis tool, pubcrawl170101, public domain software, Random access memory, rootkit, semantic gap, Semantics, spyware, storage management, virtual infrastructure privileged access, virtual machine introspection, Virtual machine monitors, virtual machine volatile artifact analyzers, virtual machines, Virtual machining, virtualisation, virtualization environment

Due to a rapid revaluation in a virtualization environment, Virtual Machines (VMs) are target point for an attacker to gain privileged access of the virtual infrastructure. The Advanced Persistent Threats (APTs) such as malware, rootkit, spyware, etc. are more potent to bypass the existing defense mechanisms designed for VM. To address this issue, Virtual Machine Introspection (VMI) emerged as a promising approach that monitors run state of the VM externally from hypervisor. However, limitation of VMI lies with semantic gap. An open source tool called LibVMI address the semantic gap. Memory Forensic Analysis (MFA) tool such as Volatility can also be used to address the semantic gap. But, it needs to capture a memory dump (RAM) as input. Memory dump acquires time and its analysis time is highly crucial if Intrusion Detection System IDS (IDS) depends on the data supplied by FAM or VMI tool. In this work, live virtual machine RAM dump acquire time of LibVMI is measured. In addition, captured memory dump analysis time consumed by Volatility is measured and compared with other memory analyzer such as Rekall. It is observed through experimental results that, Rekall takes more execution time as compared to Volatility for most of the plugins. Further, Volatility and Rekall are compared with LibVMI. It is noticed that examining the volatile data through LibVMI is faster as it eliminates memory dump acquire time.

Citation Key7384310