Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI
Volatile storage has the potential of revealing crucial forensic data from the system that are otherwise not found in persistent storage of virtual machines. However, there are certain flaws with the two most common methods of gathering forensic data from them. Using live response, forensic tools ar...
Saved in:
| Main Author: | |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Animo Repository
2014
|
| Subjects: | |
| Online Access: | https://animorepository.dlsu.edu.ph/etd_bachelors/2636 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | De La Salle University |
| Language: | English |
| id |
oai:animorepository.dlsu.edu.ph:etd_bachelors-3636 |
|---|---|
| record_format |
eprints |
| spelling |
oai:animorepository.dlsu.edu.ph:etd_bachelors-36362021-06-15T07:32:20Z Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI Cruz, Kristine Samantha R. Volatile storage has the potential of revealing crucial forensic data from the system that are otherwise not found in persistent storage of virtual machines. However, there are certain flaws with the two most common methods of gathering forensic data from them. Using live response, forensic tools are loaded in the target machine or connected to a remote share, significantly altering the memory structure of the system. On the other hand, imaging the machines RAM, while more repeatable and verifiable than live response, will only create a snapshot in a particular time and not create a whole view of the changes in the system state during a particular timeframe. Most forensic tools also lack provisions for consolidating these data and activity logging capabilities that are necessary to verify when and how certain data are handled. WinVMI is able to utilize Virtual Machine Introspection (VMI) to gather and consolidate volatile information as done by its Collection and Data Processing Modules and verified through a virtual machine without loading a program or establishing a network connection in the virtual system as verified through the Database Population and the Memory Dump Generation Tests and through the Comparison Module, assess its impact on the consistency and integrity of the virtual machines system memory state in comparison with the traditional method of loading the tool into the virtual machine, verified through the results of Process List and Network Connection Impact Test, Process List Function Verification Test and the Memory Dump Delta Test, which all show a significant difference in the systems impact in the virtual machines system memory state as compared to the traditional method of gathering data. The system, through its Transaction Record Submodule, also has the ability to store these data in a database and log transactions done by the system to serve as its audit trail which is verified through the Logging Test. WinVMI recommends that this system be implemented in other virtualization platforms and investigate on collection through remote access of the virtual machines, as well as the collection of more types of data, grouping of logs by collection session, and mapping of high level data to low level memory data. 2014-01-01T08:00:00Z text https://animorepository.dlsu.edu.ph/etd_bachelors/2636 Bachelor's Theses English Animo Repository Computer Sciences |
| institution |
De La Salle University |
| building |
De La Salle University Library |
| continent |
Asia |
| country |
Philippines Philippines |
| content_provider |
De La Salle University Library |
| collection |
DLSU Institutional Repository |
| language |
English |
| topic |
Computer Sciences |
| spellingShingle |
Computer Sciences Cruz, Kristine Samantha R. Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI |
| description |
Volatile storage has the potential of revealing crucial forensic data from the system that are otherwise not found in persistent storage of virtual machines. However, there are certain flaws with the two most common methods of gathering forensic data from them. Using live response, forensic tools are loaded in the target machine or connected to a remote share, significantly altering the memory structure of the system. On the other hand, imaging the machines RAM, while more repeatable and verifiable than live response, will only create a snapshot in a particular time and not create a whole view of the changes in the system state during a particular timeframe. Most forensic tools also lack provisions for consolidating these data and activity logging capabilities that are necessary to verify when and how certain data are handled.
WinVMI is able to utilize Virtual Machine Introspection (VMI) to gather and consolidate volatile information as done by its Collection and Data Processing Modules and verified through a virtual machine without loading a program or establishing a network connection in the virtual system as verified through the Database Population and the Memory Dump Generation Tests and through the Comparison Module, assess its impact on the consistency and integrity of the virtual machines system memory state in comparison with the traditional method of loading the tool into the virtual machine, verified through the results of Process List and Network Connection Impact Test, Process List Function Verification Test and the Memory Dump Delta Test, which all show a significant difference in the systems impact in the virtual machines system memory state as compared to the traditional method of gathering data. The system, through its Transaction Record Submodule, also has the ability to store these data in a database and log transactions done by the system to serve as its audit trail which is verified through the Logging Test.
WinVMI recommends that this system be implemented in other virtualization platforms and investigate on collection through remote access of the virtual machines, as well as the collection of more types of data, grouping of logs by collection session, and mapping of high level data to low level memory data. |
| format |
text |
| author |
Cruz, Kristine Samantha R. |
| author_facet |
Cruz, Kristine Samantha R. |
| author_sort |
Cruz, Kristine Samantha R. |
| title |
Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI |
| title_short |
Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI |
| title_full |
Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI |
| title_fullStr |
Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI |
| title_full_unstemmed |
Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI |
| title_sort |
volatile evidence gathering and consolidation tool for windows virtual machines: winvmi |
| publisher |
Animo Repository |
| publishDate |
2014 |
| url |
https://animorepository.dlsu.edu.ph/etd_bachelors/2636 |
| _version_ |
1712575935641812992 |