Loading…
ForenVisor: A Tool for Acquiring and Preserving Reliable Data in Cloud Live Forensics
Live forensics is an important technique in cloud security but is facing the challenge of reliability. Most of the live forensic tools in cloud computing run either in the target Operating System (OS), or as an extra hypervisor. The tools in the target OS are not reliable, since they might be deceiv...
Saved in:
Published in: | IEEE transactions on cloud computing 2017-07, Vol.5 (3), p.443-456 |
---|---|
Main Authors: | , , , , , |
Format: | Article |
Language: | English |
Subjects: | |
Citations: | Items that this one cites Items that cite this one |
Online Access: | Get full text |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
cited_by | cdi_FETCH-LOGICAL-c371t-a0b20a04618f5148e40c72d5ddf0b6bd78f0c4558143e5d09ee3aaf2107478f3 |
---|---|
cites | cdi_FETCH-LOGICAL-c371t-a0b20a04618f5148e40c72d5ddf0b6bd78f0c4558143e5d09ee3aaf2107478f3 |
container_end_page | 456 |
container_issue | 3 |
container_start_page | 443 |
container_title | IEEE transactions on cloud computing |
container_volume | 5 |
creator | Zhengwei Qi Chengcheng Xiang Ruhui Ma Jian Li Haibing Guan Wei, David S. L. |
description | Live forensics is an important technique in cloud security but is facing the challenge of reliability. Most of the live forensic tools in cloud computing run either in the target Operating System (OS), or as an extra hypervisor. The tools in the target OS are not reliable, since they might be deceived by the compromised OS. Furthermore, traditional general purpose hypervisors are vulnerable due to their huge code size. However, some modules of a general purpose hypervisor, such as device drivers, are indeed unnecessary for forensics. In this paper, we propose a special purpose hypervisor, called ForenVisor, which is dedicated to reliable live forensics. The reliability is improved in three ways: reducing Trusted Computing Base (TCB) size by leveraging a lightweight architecture, collecting evidence directly from the hardware, and protecting the evidence and other sensitive files with Filesafe module. We have implemented a proof-of-concept prototype on the Windows platform, which can acquire the process data, raw memory, and I/O data, such as keystrokes and network traffic. Furthermore, we evaluate ForenVisor in terms of code size, functionality, and performance. The experiment results show that ForenVisor has a relatively small TCB size of about 13 KLOC, and only causes less than 10 percent performance reduction to the target system. In particular, our experiments verify that ForenVisor can guarantee that the protected files remain untampered, even when the guest OS is compromised by viruses, such as `ILOVEYOU' and Worm.WhBoy. Also, our system can be loaded as a hypervisor without needing to pause the target OS. This allows it to not only avoid destructing but also to gather the live evidence of the target OS. We also posted the source code of ForenVisor on Github. |
doi_str_mv | 10.1109/TCC.2016.2535295 |
format | article |
fullrecord | <record><control><sourceid>crossref_ieee_</sourceid><recordid>TN_cdi_ieee_primary_7420687</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>7420687</ieee_id><sourcerecordid>10_1109_TCC_2016_2535295</sourcerecordid><originalsourceid>FETCH-LOGICAL-c371t-a0b20a04618f5148e40c72d5ddf0b6bd78f0c4558143e5d09ee3aaf2107478f3</originalsourceid><addsrcrecordid>eNpNkEFLw0AQhRdRsNTeBS_7B1JnNrvZxFuJtgoFRaLXsMlOZCVmdbct-O9NbRHn8maY997hY-wSYY4IxXVVlnMBmM2FSpUo1AmbCMzyRGOGp__2czaL8R3GyRUWWEzYy9IHGl5d9OGGL3jlfc87H_ii_dq64IY3bgbLnwJFCrv9-Uy9M01P_NZsDHcDL3u_tXztdsR_u6Jr4wU760wfaXbUKauWd1V5n6wfVw_lYp20qcZNYqARYEBmmHcKZU4SWi2ssraDJmuszjtopVI5ypSUhYIoNaYTCFqOv3TK4FDbBh9joK7-DO7DhO8aod6DqUcw9R5MfQQzRq4OEUdEf3YtBWS5Tn8AzgVd7w</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>ForenVisor: A Tool for Acquiring and Preserving Reliable Data in Cloud Live Forensics</title><source>IEEE Xplore (Online service)</source><creator>Zhengwei Qi ; Chengcheng Xiang ; Ruhui Ma ; Jian Li ; Haibing Guan ; Wei, David S. L.</creator><creatorcontrib>Zhengwei Qi ; Chengcheng Xiang ; Ruhui Ma ; Jian Li ; Haibing Guan ; Wei, David S. L.</creatorcontrib><description>Live forensics is an important technique in cloud security but is facing the challenge of reliability. Most of the live forensic tools in cloud computing run either in the target Operating System (OS), or as an extra hypervisor. The tools in the target OS are not reliable, since they might be deceived by the compromised OS. Furthermore, traditional general purpose hypervisors are vulnerable due to their huge code size. However, some modules of a general purpose hypervisor, such as device drivers, are indeed unnecessary for forensics. In this paper, we propose a special purpose hypervisor, called ForenVisor, which is dedicated to reliable live forensics. The reliability is improved in three ways: reducing Trusted Computing Base (TCB) size by leveraging a lightweight architecture, collecting evidence directly from the hardware, and protecting the evidence and other sensitive files with Filesafe module. We have implemented a proof-of-concept prototype on the Windows platform, which can acquire the process data, raw memory, and I/O data, such as keystrokes and network traffic. Furthermore, we evaluate ForenVisor in terms of code size, functionality, and performance. The experiment results show that ForenVisor has a relatively small TCB size of about 13 KLOC, and only causes less than 10 percent performance reduction to the target system. In particular, our experiments verify that ForenVisor can guarantee that the protected files remain untampered, even when the guest OS is compromised by viruses, such as `ILOVEYOU' and Worm.WhBoy. Also, our system can be loaded as a hypervisor without needing to pause the target OS. This allows it to not only avoid destructing but also to gather the live evidence of the target OS. We also posted the source code of ForenVisor on Github.</description><identifier>ISSN: 2168-7161</identifier><identifier>EISSN: 2168-7161</identifier><identifier>EISSN: 2372-0018</identifier><identifier>DOI: 10.1109/TCC.2016.2535295</identifier><identifier>CODEN: ITCCF6</identifier><language>eng</language><publisher>IEEE Computer Society</publisher><subject>Cloud computing ; file protection ; Forensics ; Hardware ; io monitor ; Live forensics ; Performance evaluation ; Reliability ; Virtual machine monitors ; Virtualization</subject><ispartof>IEEE transactions on cloud computing, 2017-07, Vol.5 (3), p.443-456</ispartof><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c371t-a0b20a04618f5148e40c72d5ddf0b6bd78f0c4558143e5d09ee3aaf2107478f3</citedby><cites>FETCH-LOGICAL-c371t-a0b20a04618f5148e40c72d5ddf0b6bd78f0c4558143e5d09ee3aaf2107478f3</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/7420687$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,27924,27925,54796</link.rule.ids></links><search><creatorcontrib>Zhengwei Qi</creatorcontrib><creatorcontrib>Chengcheng Xiang</creatorcontrib><creatorcontrib>Ruhui Ma</creatorcontrib><creatorcontrib>Jian Li</creatorcontrib><creatorcontrib>Haibing Guan</creatorcontrib><creatorcontrib>Wei, David S. L.</creatorcontrib><title>ForenVisor: A Tool for Acquiring and Preserving Reliable Data in Cloud Live Forensics</title><title>IEEE transactions on cloud computing</title><addtitle>TCC</addtitle><description>Live forensics is an important technique in cloud security but is facing the challenge of reliability. Most of the live forensic tools in cloud computing run either in the target Operating System (OS), or as an extra hypervisor. The tools in the target OS are not reliable, since they might be deceived by the compromised OS. Furthermore, traditional general purpose hypervisors are vulnerable due to their huge code size. However, some modules of a general purpose hypervisor, such as device drivers, are indeed unnecessary for forensics. In this paper, we propose a special purpose hypervisor, called ForenVisor, which is dedicated to reliable live forensics. The reliability is improved in three ways: reducing Trusted Computing Base (TCB) size by leveraging a lightweight architecture, collecting evidence directly from the hardware, and protecting the evidence and other sensitive files with Filesafe module. We have implemented a proof-of-concept prototype on the Windows platform, which can acquire the process data, raw memory, and I/O data, such as keystrokes and network traffic. Furthermore, we evaluate ForenVisor in terms of code size, functionality, and performance. The experiment results show that ForenVisor has a relatively small TCB size of about 13 KLOC, and only causes less than 10 percent performance reduction to the target system. In particular, our experiments verify that ForenVisor can guarantee that the protected files remain untampered, even when the guest OS is compromised by viruses, such as `ILOVEYOU' and Worm.WhBoy. Also, our system can be loaded as a hypervisor without needing to pause the target OS. This allows it to not only avoid destructing but also to gather the live evidence of the target OS. We also posted the source code of ForenVisor on Github.</description><subject>Cloud computing</subject><subject>file protection</subject><subject>Forensics</subject><subject>Hardware</subject><subject>io monitor</subject><subject>Live forensics</subject><subject>Performance evaluation</subject><subject>Reliability</subject><subject>Virtual machine monitors</subject><subject>Virtualization</subject><issn>2168-7161</issn><issn>2168-7161</issn><issn>2372-0018</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2017</creationdate><recordtype>article</recordtype><recordid>eNpNkEFLw0AQhRdRsNTeBS_7B1JnNrvZxFuJtgoFRaLXsMlOZCVmdbct-O9NbRHn8maY997hY-wSYY4IxXVVlnMBmM2FSpUo1AmbCMzyRGOGp__2czaL8R3GyRUWWEzYy9IHGl5d9OGGL3jlfc87H_ii_dq64IY3bgbLnwJFCrv9-Uy9M01P_NZsDHcDL3u_tXztdsR_u6Jr4wU760wfaXbUKauWd1V5n6wfVw_lYp20qcZNYqARYEBmmHcKZU4SWi2ssraDJmuszjtopVI5ypSUhYIoNaYTCFqOv3TK4FDbBh9joK7-DO7DhO8aod6DqUcw9R5MfQQzRq4OEUdEf3YtBWS5Tn8AzgVd7w</recordid><startdate>201707</startdate><enddate>201707</enddate><creator>Zhengwei Qi</creator><creator>Chengcheng Xiang</creator><creator>Ruhui Ma</creator><creator>Jian Li</creator><creator>Haibing Guan</creator><creator>Wei, David S. L.</creator><general>IEEE Computer Society</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope></search><sort><creationdate>201707</creationdate><title>ForenVisor: A Tool for Acquiring and Preserving Reliable Data in Cloud Live Forensics</title><author>Zhengwei Qi ; Chengcheng Xiang ; Ruhui Ma ; Jian Li ; Haibing Guan ; Wei, David S. L.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c371t-a0b20a04618f5148e40c72d5ddf0b6bd78f0c4558143e5d09ee3aaf2107478f3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2017</creationdate><topic>Cloud computing</topic><topic>file protection</topic><topic>Forensics</topic><topic>Hardware</topic><topic>io monitor</topic><topic>Live forensics</topic><topic>Performance evaluation</topic><topic>Reliability</topic><topic>Virtual machine monitors</topic><topic>Virtualization</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Zhengwei Qi</creatorcontrib><creatorcontrib>Chengcheng Xiang</creatorcontrib><creatorcontrib>Ruhui Ma</creatorcontrib><creatorcontrib>Jian Li</creatorcontrib><creatorcontrib>Haibing Guan</creatorcontrib><creatorcontrib>Wei, David S. L.</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998–Present</collection><collection>IEEE Electronic Library Online</collection><collection>CrossRef</collection><jtitle>IEEE transactions on cloud computing</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Zhengwei Qi</au><au>Chengcheng Xiang</au><au>Ruhui Ma</au><au>Jian Li</au><au>Haibing Guan</au><au>Wei, David S. L.</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>ForenVisor: A Tool for Acquiring and Preserving Reliable Data in Cloud Live Forensics</atitle><jtitle>IEEE transactions on cloud computing</jtitle><stitle>TCC</stitle><date>2017-07</date><risdate>2017</risdate><volume>5</volume><issue>3</issue><spage>443</spage><epage>456</epage><pages>443-456</pages><issn>2168-7161</issn><eissn>2168-7161</eissn><eissn>2372-0018</eissn><coden>ITCCF6</coden><abstract>Live forensics is an important technique in cloud security but is facing the challenge of reliability. Most of the live forensic tools in cloud computing run either in the target Operating System (OS), or as an extra hypervisor. The tools in the target OS are not reliable, since they might be deceived by the compromised OS. Furthermore, traditional general purpose hypervisors are vulnerable due to their huge code size. However, some modules of a general purpose hypervisor, such as device drivers, are indeed unnecessary for forensics. In this paper, we propose a special purpose hypervisor, called ForenVisor, which is dedicated to reliable live forensics. The reliability is improved in three ways: reducing Trusted Computing Base (TCB) size by leveraging a lightweight architecture, collecting evidence directly from the hardware, and protecting the evidence and other sensitive files with Filesafe module. We have implemented a proof-of-concept prototype on the Windows platform, which can acquire the process data, raw memory, and I/O data, such as keystrokes and network traffic. Furthermore, we evaluate ForenVisor in terms of code size, functionality, and performance. The experiment results show that ForenVisor has a relatively small TCB size of about 13 KLOC, and only causes less than 10 percent performance reduction to the target system. In particular, our experiments verify that ForenVisor can guarantee that the protected files remain untampered, even when the guest OS is compromised by viruses, such as `ILOVEYOU' and Worm.WhBoy. Also, our system can be loaded as a hypervisor without needing to pause the target OS. This allows it to not only avoid destructing but also to gather the live evidence of the target OS. We also posted the source code of ForenVisor on Github.</abstract><pub>IEEE Computer Society</pub><doi>10.1109/TCC.2016.2535295</doi><tpages>14</tpages><oa>free_for_read</oa></addata></record> |
fulltext | fulltext |
identifier | ISSN: 2168-7161 |
ispartof | IEEE transactions on cloud computing, 2017-07, Vol.5 (3), p.443-456 |
issn | 2168-7161 2168-7161 2372-0018 |
language | eng |
recordid | cdi_ieee_primary_7420687 |
source | IEEE Xplore (Online service) |
subjects | Cloud computing file protection Forensics Hardware io monitor Live forensics Performance evaluation Reliability Virtual machine monitors Virtualization |
title | ForenVisor: A Tool for Acquiring and Preserving Reliable Data in Cloud Live Forensics |
url | http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-24T19%3A42%3A15IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-crossref_ieee_&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=ForenVisor:%20A%20Tool%20for%20Acquiring%20and%20Preserving%20Reliable%20Data%20in%20Cloud%20Live%20Forensics&rft.jtitle=IEEE%20transactions%20on%20cloud%20computing&rft.au=Zhengwei%20Qi&rft.date=2017-07&rft.volume=5&rft.issue=3&rft.spage=443&rft.epage=456&rft.pages=443-456&rft.issn=2168-7161&rft.eissn=2168-7161&rft.coden=ITCCF6&rft_id=info:doi/10.1109/TCC.2016.2535295&rft_dat=%3Ccrossref_ieee_%3E10_1109_TCC_2016_2535295%3C/crossref_ieee_%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c371t-a0b20a04618f5148e40c72d5ddf0b6bd78f0c4558143e5d09ee3aaf2107478f3%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=7420687&rfr_iscdi=true |