Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI
Date of Publication
2014
Document Type
Bachelor's Thesis
Degree Name
Bachelor of Science in Computer Science
Subject Categories
Computer Sciences
College
College of Computer Studies
Department/Unit
Computer Science
Thesis Adviser
Isaac Herculano Sabas
Defense Panel Chair
Gregory C. Cu
Defense Panel Member
Geanne Ross L. Franco
Alexis V. Pantola
Abstract/Summary
Volatile storage has the potential of revealing crucial forensic data from the system that are otherwise not found in persistent storage of virtual machines. However, there are certain flaws with the two most common methods of gathering forensic data from them. Using live response, forensic tools are loaded in the target machine or connected to a remote share, significantly altering the memory structure of the system. On the other hand, imaging the machines RAM, while more repeatable and verifiable than live response, will only create a snapshot in a particular time and not create a whole view of the changes in the system state during a particular timeframe. Most forensic tools also lack provisions for consolidating these data and activity logging capabilities that are necessary to verify when and how certain data are handled.
WinVMI is able to utilize Virtual Machine Introspection (VMI) to gather and consolidate volatile information as done by its Collection and Data Processing Modules and verified through a virtual machine without loading a program or establishing a network connection in the virtual system as verified through the Database Population and the Memory Dump Generation Tests and through the Comparison Module, assess its impact on the consistency and integrity of the virtual machines system memory state in comparison with the traditional method of loading the tool into the virtual machine, verified through the results of Process List and Network Connection Impact Test, Process List Function Verification Test and the Memory Dump Delta Test, which all show a significant difference in the systems impact in the virtual machines system memory state as compared to the traditional method of gathering data. The system, through its Transaction Record Submodule, also has the ability to store these data in a database and log transactions done by the system to serve as its audit trail which is verified through the Logging Test.
WinVMI recommends that this system be implemented in other virtualization platforms and investigate on collection through remote access of the virtual machines, as well as the collection of more types of data, grouping of logs by collection session, and mapping of high level data to low level memory data.
Abstract Format
html
Language
English
Format
Accession Number
TU18519
Shelf Location
Archives, The Learning Commons, 12F, Henry Sy Sr. Hall
Physical Description
1 v. (various foliations) ; 28 cm.
Recommended Citation
Cruz, K. (2014). Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI. Retrieved from https://animorepository.dlsu.edu.ph/etd_bachelors/2636