You are here

Virtual Machine Forensics by means of Introspection and Kernel Code Injection


Patrick Tobin, Tahar Kechadi

Publication Type: 
Refereed Conference Meeting Proceeding
Virtual Machine Introspection offers the ability to access a virtual machine remotely and extract information from it. Virtual machine introspection allows all processes, local data, and network traffic to be tracked and made available to the investigation process. These properties offer the possibility to monitor a suspect virtual machine (VM). Moreover, the access to a VM data is far from being trivial; there are various complex tasks to be dealt with. For instance the returned data is in a raw format, and it is necessary to remap into a user friendly representation (canonical representation). In this paper we propose a method of bridging this semantic gap, and provide a graphical reconstruction of events. This proposal is essentially, the recreation of a virtual machine at a remote location and the subsequent recreation of all processes, data, network traffic in a virtual machine as they occur in the original. This should be achieved in real-time, which will give an opportunity to quickly make decisions based on the evidence as we collect them in real-time. Our approach involves recreating a virtual machine and injecting into it all code and data within the original virtual machine, presenting an identical copy for examination. The approach proposed also has another advantage by allowing all data to be saved for further analysis and verification.
Conference Name: 
9th International Conference on Cyber Warfare and Security
9th International Conference on Cyber Warfare and Security
Digital Object Identifer (DOI):
Publication Date: 
Conference Location: 
United States of America
National University of Ireland, Dublin (UCD)
Open access repository: 
Publication document: