Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI

Volatile storage has the potential of revealing crucial forensic data from the system that are otherwise not found in persistent storage of virtual machines. However, there are certain flaws with the two most common methods of gathering forensic data from them. Using live response, forensic tools ar...

Full description

Saved in:
Bibliographic Details
Main Author: Cruz, Kristine Samantha R.
Format: text
Language:English
Published: Animo Repository 2014
Subjects:
Online Access:https://animorepository.dlsu.edu.ph/etd_bachelors/2636
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: De La Salle University
Language: English
id oai:animorepository.dlsu.edu.ph:etd_bachelors-3636
record_format eprints
spelling oai:animorepository.dlsu.edu.ph:etd_bachelors-36362021-06-15T07:32:20Z Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI Cruz, Kristine Samantha R. Volatile storage has the potential of revealing crucial forensic data from the system that are otherwise not found in persistent storage of virtual machines. However, there are certain flaws with the two most common methods of gathering forensic data from them. Using live response, forensic tools are loaded in the target machine or connected to a remote share, significantly altering the memory structure of the system. On the other hand, imaging the machines RAM, while more repeatable and verifiable than live response, will only create a snapshot in a particular time and not create a whole view of the changes in the system state during a particular timeframe. Most forensic tools also lack provisions for consolidating these data and activity logging capabilities that are necessary to verify when and how certain data are handled. WinVMI is able to utilize Virtual Machine Introspection (VMI) to gather and consolidate volatile information as done by its Collection and Data Processing Modules and verified through a virtual machine without loading a program or establishing a network connection in the virtual system as verified through the Database Population and the Memory Dump Generation Tests and through the Comparison Module, assess its impact on the consistency and integrity of the virtual machines system memory state in comparison with the traditional method of loading the tool into the virtual machine, verified through the results of Process List and Network Connection Impact Test, Process List Function Verification Test and the Memory Dump Delta Test, which all show a significant difference in the systems impact in the virtual machines system memory state as compared to the traditional method of gathering data. The system, through its Transaction Record Submodule, also has the ability to store these data in a database and log transactions done by the system to serve as its audit trail which is verified through the Logging Test. WinVMI recommends that this system be implemented in other virtualization platforms and investigate on collection through remote access of the virtual machines, as well as the collection of more types of data, grouping of logs by collection session, and mapping of high level data to low level memory data. 2014-01-01T08:00:00Z text https://animorepository.dlsu.edu.ph/etd_bachelors/2636 Bachelor's Theses English Animo Repository Computer Sciences
institution De La Salle University
building De La Salle University Library
continent Asia
country Philippines
Philippines
content_provider De La Salle University Library
collection DLSU Institutional Repository
language English
topic Computer Sciences
spellingShingle Computer Sciences
Cruz, Kristine Samantha R.
Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI
description Volatile storage has the potential of revealing crucial forensic data from the system that are otherwise not found in persistent storage of virtual machines. However, there are certain flaws with the two most common methods of gathering forensic data from them. Using live response, forensic tools are loaded in the target machine or connected to a remote share, significantly altering the memory structure of the system. On the other hand, imaging the machines RAM, while more repeatable and verifiable than live response, will only create a snapshot in a particular time and not create a whole view of the changes in the system state during a particular timeframe. Most forensic tools also lack provisions for consolidating these data and activity logging capabilities that are necessary to verify when and how certain data are handled. WinVMI is able to utilize Virtual Machine Introspection (VMI) to gather and consolidate volatile information as done by its Collection and Data Processing Modules and verified through a virtual machine without loading a program or establishing a network connection in the virtual system as verified through the Database Population and the Memory Dump Generation Tests and through the Comparison Module, assess its impact on the consistency and integrity of the virtual machines system memory state in comparison with the traditional method of loading the tool into the virtual machine, verified through the results of Process List and Network Connection Impact Test, Process List Function Verification Test and the Memory Dump Delta Test, which all show a significant difference in the systems impact in the virtual machines system memory state as compared to the traditional method of gathering data. The system, through its Transaction Record Submodule, also has the ability to store these data in a database and log transactions done by the system to serve as its audit trail which is verified through the Logging Test. WinVMI recommends that this system be implemented in other virtualization platforms and investigate on collection through remote access of the virtual machines, as well as the collection of more types of data, grouping of logs by collection session, and mapping of high level data to low level memory data.
format text
author Cruz, Kristine Samantha R.
author_facet Cruz, Kristine Samantha R.
author_sort Cruz, Kristine Samantha R.
title Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI
title_short Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI
title_full Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI
title_fullStr Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI
title_full_unstemmed Volatile evidence gathering and consolidation tool for windows virtual machines: WinVMI
title_sort volatile evidence gathering and consolidation tool for windows virtual machines: winvmi
publisher Animo Repository
publishDate 2014
url https://animorepository.dlsu.edu.ph/etd_bachelors/2636
_version_ 1712575935641812992