Martignoni, Lorenzo, Fattori, Aristide, Paleari, Roberto and Cavallaro, Lorenzo (2010) Live and Trustworthy Forensic Analysis of Commodity Production Systems In: 13th International Symposium on Recent Advances in Intrusion Detection (RAID). .
Full text access: Open
We present HyperSleuth, a framework that leverages the virtualization extensions provided by commodity hardware to securely perform live forensic analysis of potentially compromised production systems. HyperSleuth provides a trusted execution environment that guarantees four fundamental properties. First, an attacker controlling the system cannot interfere with the analysis and cannot tamper the results. Second, the framework can be installed as the system runs, without a reboot and without loosing any volatile data. Third, the analysis performed is completely transparent to the OS and to an attacker. Finally, the analysis can be periodically and safely interrupted to resume normal execution of the system. On top of HyperSleuth we implemented three forensic analysis applications: a lazy physical memory dumper, a lie detector, and a system call tracer. The experimental evaluation we conducted demonstrated that even time consuming analysis, such as the dump of the content of the physical memory, can be securely performed without interrupting the services oered by the system.
This is a Submitted version This version's date is: 15/9/2010 This item is not peer reviewed
https://repository.royalholloway.ac.uk/items/5540a938-9dd6-f739-8272-4be107949058/6/
Deposited by Research Information System (atira) on 18-Sep-2012 in Royal Holloway Research Online.Last modified on 18-Sep-2012