Schließen
  • search hit 66 of 1009
Back to Result List

VMI-PL: A monitoring language for virtual platforms using virtual machine introspection

  • With the growth of virtualization and cloud computing, more and more forensic investigations rely on being able to perform live forensics on a virtual machine using virtual machine introspection (VMI). Inspecting a virtual machine through its hypervisor enables investigation without risking contamination of the evidence, crashing the computer, etc. To further access to these techniques for the investigator/researcher we have developed a new VMI monitoring language. This language is based on a review of the most commonly used VMI-techniques to date, and it enables the user to monitor the virtual machine's memory, events and data streams. A prototype implementation of our monitoring system was implemented in KVM, though implementation on any hypervisor that uses the common x86 virtualization hardware assistance support should be straightforward. Our prototype outperforms the proprietary VMWare VProbes in many cases, with a maximum performance loss of 18% for a realistic test case, which we consider acceptable. Our implementation isWith the growth of virtualization and cloud computing, more and more forensic investigations rely on being able to perform live forensics on a virtual machine using virtual machine introspection (VMI). Inspecting a virtual machine through its hypervisor enables investigation without risking contamination of the evidence, crashing the computer, etc. To further access to these techniques for the investigator/researcher we have developed a new VMI monitoring language. This language is based on a review of the most commonly used VMI-techniques to date, and it enables the user to monitor the virtual machine's memory, events and data streams. A prototype implementation of our monitoring system was implemented in KVM, though implementation on any hypervisor that uses the common x86 virtualization hardware assistance support should be straightforward. Our prototype outperforms the proprietary VMWare VProbes in many cases, with a maximum performance loss of 18% for a realistic test case, which we consider acceptable. Our implementation is freely available under a liberal software distribution license. (C) 2014 Digital Forensics Research Workshop. Published by Elsevier Ltd. All rights reserved.show moreshow less

Export metadata

Additional Services

Search Google Scholar Statistics
Metadaten
Author details:Florian Westphal, Stefan Axelsson, Christian Neuhaus, Andreas PolzeORCiDGND
DOI:https://doi.org/10.1016/j.diin.2014.05.016
ISSN:1742-2876
ISSN:1873-202X
Title of parent work (English):Digital Investigation : the international journal of digital forensics & incident response
Publisher:Elsevier
Place of publishing:Oxford
Publication type:Article
Language:English
Year of first publication:2014
Publication year:2014
Release date:2017/03/27
Tag:Classification; Introspection; Live forensics; Monitoring language; Security; Virtualization
Volume:11
Number of pages:10
First page:S85
Last Page:S94
Organizational units:An-Institute / Hasso-Plattner-Institut für Digital Engineering gGmbH
Peer review:Referiert

KOBV Logo  OAI Logo  DINI Zertifikat 2007  OA Netzwerk Logo

Accept ✔
This website uses technically necessary session cookies. By continuing to use the website, you agree to this. You can find our privacy policy here.