Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI

Date of Publication

2014

Document Type

Bachelor's Thesis

Degree Name

Bachelor of Science in Computer Science

Subject Categories

Computer Sciences

College

College of Computer Studies

Department/Unit

Computer Science

Thesis Adviser

Isaac Herculano Sabas

Defense Panel Chair

Gregory C. Cu

Defense Panel Member

Geanne Ross L. Franco
Alexis V. Pantola

Abstract/Summary

Volatile storage has the potential of revealing crucial forensic data from the system that are otherwise not found in persistent storage of virtual machines. However, there are certain flaws with the two most common methods of gathering forensic data from them. Using live response, forensic tools are loaded in the target machine or connected to a remote share, significantly altering the memory structure of the system. On the other hand, imaging the machines RAM, while more repeatable and verifiable than live response, will only create a snapshot in a particular time and not create a whole view of the changes in the system state during a particular timeframe. Most forensic tools also lack provisions for consolidating these data and activity logging capabilities that are necessary to verify when and how certain data are handled.

WinVMI is able to utilize Virtual Machine Introspection (VMI) to gather and consolidate volatile information as done by its Collection and Data Processing Modules and verified through a virtual machine without loading a program or establishing a network connection in the virtual system as verified through the Database Population and the Memory Dump Generation Tests and through the Comparison Module, assess its impact on the consistency and integrity of the virtual machines system memory state in comparison with the traditional method of loading the tool into the virtual machine, verified through the results of Process List and Network Connection Impact Test, Process List Function Verification Test and the Memory Dump Delta Test, which all show a significant difference in the systems impact in the virtual machines system memory state as compared to the traditional method of gathering data. The system, through its Transaction Record Submodule, also has the ability to store these data in a database and log transactions done by the system to serve as its audit trail which is verified through the Logging Test.

WinVMI recommends that this system be implemented in other virtualization platforms and investigate on collection through remote access of the virtual machines, as well as the collection of more types of data, grouping of logs by collection session, and mapping of high level data to low level memory data.

Abstract Format

html

Language

English

Format

Print

Accession Number

TU18519

Shelf Location

Archives, The Learning Commons, 12F, Henry Sy Sr. Hall

Physical Description

1 v. (various foliations) ; 28 cm.

This document is currently not available here.

Share

COinS