标题：A KVM virtual machine memory forensics method based on VMCS
作者：Zhang, Shuhui ;Wang, Lianhai ;Han, Xiaohui
作者机构：[Zhang, Shuhui ] School of Computer Science and Technology, Shandong University, Jinan; 250101, China;[Zhang, Shuhui ;Wang, Lianhai ;Han, Xiaohui ] Sh 更多
会议名称：10th International Conference on Computational Intelligence and Security, CIS 2014
会议日期：15 November 2014 through 16 November 2014
来源：Proceedings - 2014 10th International Conference on Computational Intelligence and Security, CIS 2014
关键词：Forensics; KVM; Memory analysis; Virtual machine; Volatile memory acquisition
摘要：As the use of virtual machine environments increases, virtual machines forensics is becoming more and more important and emergent. Current forensics solutions to virtualized environments mainly focus on static data analysis, which cannot provide a complete picture of events. In this paper, a novel method used for KVM (Kernel-based Virtual Machine) virtual machine memory forensics has been proposed. By analyzing the memory image of a host machine, active virtual machines can be detected, and a complete picture of the virtual machine's states can be also obtained, such as running processes, loaded modules, network connections, registry, system logs, user accounts, services, hook analysis info and so on. The proposed method has been proved to be more effective in machines with current mainstream CPUs and Fedora version 16-19 for both 32-bit and 64-bit. © 2014 IEEE.