• 主题
高级搜索  >
历史搜索 清空历史
首页> 外文会议>International Conference on Security for Information Technology and Communications >Secure Virtual Machine for Real Time Forensic Tools on Commodity Workstations
【24h】

Secure Virtual Machine for Real Time Forensic Tools on Commodity Workstations

机译:用于商品工作站上实时取证工具的安全虚拟机

获取原文
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

Forensic analysis of volatile memory is a crucial part in the Incident Response process. Traditionally, it requires acquiring and transferring a memory dump from the affected workstation over to the analyst's system, where it is analyzed using established forensic tools such as Volatility or Rekall. Hardware-based virtualization support of modern x86 CPUs was previously used on endpoints to acquire volatile memory in a way that can't be interfered by malware, but which doesn't support reusing exiting forensic tools to perform live analysis. We introduce a system that leverages a small, security-oriented hypervisor (HV) to run the original endpoint's OS inside a virtual machine (VM), alongside another VM dedicated to live forensic analysis using existing forensic tools. The HV enforces isolation between the analyzed OS and the forensic VM, while allowing reliable remote connection to the forensic VM through a dedicated physical network card.
机译:挥发性存储器的法医分析是事故响应过程中的重要部分。传统上,它需要从受影响的工作站获取和将内存转储转移到分析师的系统,其中使用已建立的法医工具(如波动率或REKALL)分析。现代X86 CPU的基于硬件的虚拟化支持先前用于端点以以无法受到恶意软件干扰的方式获取易失性内存,但这并不支持重用退出的前消票工具来执行实时分析。我们介绍了一个系统,它利用了一个小型安全的虚拟机管理程序(HV)来在虚拟机(VM)内运行原始端点的操作系统,以及使用现有法证工具的另一个VM专用于实时取证分析。 HV在分析的OS和法医VM之间强制执行隔离,同时通过专用的物理网卡允许与法证VM可靠的远程连接。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号