Hypervisor-assisted Atomic Memory Acquisition in Modern Systems

Michael Kiperberg; Roee Leon; Amit Resh; Asaf Algawi; Nezer Zaidenberg

doi:10.5220/0007566101550162

Hypervisor-assisted Atomic Memory Acquisition in Modern Systems

Michael Kiperberg, Roee Leon, Amit Resh, Asaf Algawi, Nezer Zaidenberg

2019

Abstract

Reliable memory acquisition is essential to forensic analysis of a cyber-crime. Various methods of memory acquisition have been proposed, ranging from tools based on a dedicated hardware to software only solutions. Recently, a hypervisor-based method for memory acquisition was proposed (Qi et al., 2017; Martignoni et al., 2010). This method obtains a reliable (atomic) memory image of a running system. The method achieves this by making all memory pages non-writable until they are copied to the memory image, thus preventing uncontrolled modification of these pages. Unfortunately, the proposed method has two deficiencies: (1) the method does not support multiprocessing and (2) the method does not support modern operating systems featuring address space layout randomization (ASLR). We describe a hypervisor-based memory acquisition method that solves the two aforementioned deficiencies. We analyze the memory usage and performance of the proposed method.

Download

Paper Citation

in Harvard Style

Kiperberg M., Leon R., Resh A., Algawi A. and Zaidenberg N. (2019). Hypervisor-assisted Atomic Memory Acquisition in Modern Systems.In Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-359-9, pages 155-162. DOI: 10.5220/0007566101550162

in Bibtex Style

@conference{icissp19,
author={Michael Kiperberg and Roee Leon and Amit Resh and Asaf Algawi and Nezer Zaidenberg},
title={Hypervisor-assisted Atomic Memory Acquisition in Modern Systems},
booktitle={Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2019},
pages={155-162},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0007566101550162},
isbn={978-989-758-359-9},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Hypervisor-assisted Atomic Memory Acquisition in Modern Systems
SN - 978-989-758-359-9
AU - Kiperberg M.
AU - Leon R.
AU - Resh A.
AU - Algawi A.
AU - Zaidenberg N.
PY - 2019
SP - 155
EP - 162
DO - 10.5220/0007566101550162