TUM Logo

Forensic Analysis utilizing Virtualization On-the-Fly

Forensic Analysis utilizing Virtualization On-the-Fly

Supervisor(s): Sergej Proskurin Thomas Kittel Sebastian Vogl
Status: finished
Topic: Monitoring (VMI etc.)
Author: Sergej Proskurin
Submission: 2016-02-15
Type of Thesis: Masterthesis

Description

To approach the ever growing complexity of modern malware, security applications increasingly leverage virtualization technology to perform Virtual Machine Introspection (VMI). VMI constitutes techniques that allow the observation, analysis, and control of
guest Virtual Machines (VMs) from the outside. This lends VMI-based applications an omniscient character gaining a complete and untainted view over the VM state. Apart from that, modern hardware-assisted virtualization technology allows transparent on-
the-fly virtualization. This technique allows to migrate a live Operating System (OS) into a virtual environment on demand. This thesis consolidates VMI with on-the-fly virtualization. We elaborate the design and architecture of the WhiteRabbit VMI framework in form of a microkernel-based Virtual Machine Monitor (VMM). WhiteRabbit is designed to transparently virtualize a running OS on-the-fly for the purpose of forensic analysis. Towards this direction, our prototype employs Intel VT-x hardware virtualization extensions and is able to virtualize running Linux OSs. To harden potential exposure by malware, the design of WhiteRabbit considers anti-virtualization techniques and incorporates the hardware-assisted nested paging mechanism. After deployment, WhiteRabbit exposes VMI services towards remote applications. More precisely, WhiteRabbit extends the popular LibVMI interface and thus facilitates the use of custom and already existing LibVMI-based security applications from remote. In this way, WhiteRabbit represents an effective means for the purpose of forensic analysis that can be employed on demand.