Loading…

ForenVisor: A Tool for Acquiring and Preserving Reliable Data in Cloud Live Forensics

Live forensics is an important technique in cloud security but is facing the challenge of reliability. Most of the live forensic tools in cloud computing run either in the target Operating System (OS), or as an extra hypervisor. The tools in the target OS are not reliable, since they might be deceiv...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on cloud computing 2017-07, Vol.5 (3), p.443-456
Main Authors: Zhengwei Qi, Chengcheng Xiang, Ruhui Ma, Jian Li, Haibing Guan, Wei, David S. L.
Format: Article
Language:English
Subjects:
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by cdi_FETCH-LOGICAL-c371t-a0b20a04618f5148e40c72d5ddf0b6bd78f0c4558143e5d09ee3aaf2107478f3
cites cdi_FETCH-LOGICAL-c371t-a0b20a04618f5148e40c72d5ddf0b6bd78f0c4558143e5d09ee3aaf2107478f3
container_end_page 456
container_issue 3
container_start_page 443
container_title IEEE transactions on cloud computing
container_volume 5
creator Zhengwei Qi
Chengcheng Xiang
Ruhui Ma
Jian Li
Haibing Guan
Wei, David S. L.
description Live forensics is an important technique in cloud security but is facing the challenge of reliability. Most of the live forensic tools in cloud computing run either in the target Operating System (OS), or as an extra hypervisor. The tools in the target OS are not reliable, since they might be deceived by the compromised OS. Furthermore, traditional general purpose hypervisors are vulnerable due to their huge code size. However, some modules of a general purpose hypervisor, such as device drivers, are indeed unnecessary for forensics. In this paper, we propose a special purpose hypervisor, called ForenVisor, which is dedicated to reliable live forensics. The reliability is improved in three ways: reducing Trusted Computing Base (TCB) size by leveraging a lightweight architecture, collecting evidence directly from the hardware, and protecting the evidence and other sensitive files with Filesafe module. We have implemented a proof-of-concept prototype on the Windows platform, which can acquire the process data, raw memory, and I/O data, such as keystrokes and network traffic. Furthermore, we evaluate ForenVisor in terms of code size, functionality, and performance. The experiment results show that ForenVisor has a relatively small TCB size of about 13 KLOC, and only causes less than 10 percent performance reduction to the target system. In particular, our experiments verify that ForenVisor can guarantee that the protected files remain untampered, even when the guest OS is compromised by viruses, such as `ILOVEYOU' and Worm.WhBoy. Also, our system can be loaded as a hypervisor without needing to pause the target OS. This allows it to not only avoid destructing but also to gather the live evidence of the target OS. We also posted the source code of ForenVisor on Github.
doi_str_mv 10.1109/TCC.2016.2535295
format article
fullrecord <record><control><sourceid>crossref_ieee_</sourceid><recordid>TN_cdi_ieee_primary_7420687</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>7420687</ieee_id><sourcerecordid>10_1109_TCC_2016_2535295</sourcerecordid><originalsourceid>FETCH-LOGICAL-c371t-a0b20a04618f5148e40c72d5ddf0b6bd78f0c4558143e5d09ee3aaf2107478f3</originalsourceid><addsrcrecordid>eNpNkEFLw0AQhRdRsNTeBS_7B1JnNrvZxFuJtgoFRaLXsMlOZCVmdbct-O9NbRHn8maY997hY-wSYY4IxXVVlnMBmM2FSpUo1AmbCMzyRGOGp__2czaL8R3GyRUWWEzYy9IHGl5d9OGGL3jlfc87H_ii_dq64IY3bgbLnwJFCrv9-Uy9M01P_NZsDHcDL3u_tXztdsR_u6Jr4wU760wfaXbUKauWd1V5n6wfVw_lYp20qcZNYqARYEBmmHcKZU4SWi2ssraDJmuszjtopVI5ypSUhYIoNaYTCFqOv3TK4FDbBh9joK7-DO7DhO8aod6DqUcw9R5MfQQzRq4OEUdEf3YtBWS5Tn8AzgVd7w</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>ForenVisor: A Tool for Acquiring and Preserving Reliable Data in Cloud Live Forensics</title><source>IEEE Xplore (Online service)</source><creator>Zhengwei Qi ; Chengcheng Xiang ; Ruhui Ma ; Jian Li ; Haibing Guan ; Wei, David S. L.</creator><creatorcontrib>Zhengwei Qi ; Chengcheng Xiang ; Ruhui Ma ; Jian Li ; Haibing Guan ; Wei, David S. L.</creatorcontrib><description>Live forensics is an important technique in cloud security but is facing the challenge of reliability. Most of the live forensic tools in cloud computing run either in the target Operating System (OS), or as an extra hypervisor. The tools in the target OS are not reliable, since they might be deceived by the compromised OS. Furthermore, traditional general purpose hypervisors are vulnerable due to their huge code size. However, some modules of a general purpose hypervisor, such as device drivers, are indeed unnecessary for forensics. In this paper, we propose a special purpose hypervisor, called ForenVisor, which is dedicated to reliable live forensics. The reliability is improved in three ways: reducing Trusted Computing Base (TCB) size by leveraging a lightweight architecture, collecting evidence directly from the hardware, and protecting the evidence and other sensitive files with Filesafe module. We have implemented a proof-of-concept prototype on the Windows platform, which can acquire the process data, raw memory, and I/O data, such as keystrokes and network traffic. Furthermore, we evaluate ForenVisor in terms of code size, functionality, and performance. The experiment results show that ForenVisor has a relatively small TCB size of about 13 KLOC, and only causes less than 10 percent performance reduction to the target system. In particular, our experiments verify that ForenVisor can guarantee that the protected files remain untampered, even when the guest OS is compromised by viruses, such as `ILOVEYOU' and Worm.WhBoy. Also, our system can be loaded as a hypervisor without needing to pause the target OS. This allows it to not only avoid destructing but also to gather the live evidence of the target OS. We also posted the source code of ForenVisor on Github.</description><identifier>ISSN: 2168-7161</identifier><identifier>EISSN: 2168-7161</identifier><identifier>EISSN: 2372-0018</identifier><identifier>DOI: 10.1109/TCC.2016.2535295</identifier><identifier>CODEN: ITCCF6</identifier><language>eng</language><publisher>IEEE Computer Society</publisher><subject>Cloud computing ; file protection ; Forensics ; Hardware ; io monitor ; Live forensics ; Performance evaluation ; Reliability ; Virtual machine monitors ; Virtualization</subject><ispartof>IEEE transactions on cloud computing, 2017-07, Vol.5 (3), p.443-456</ispartof><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c371t-a0b20a04618f5148e40c72d5ddf0b6bd78f0c4558143e5d09ee3aaf2107478f3</citedby><cites>FETCH-LOGICAL-c371t-a0b20a04618f5148e40c72d5ddf0b6bd78f0c4558143e5d09ee3aaf2107478f3</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/7420687$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,27924,27925,54796</link.rule.ids></links><search><creatorcontrib>Zhengwei Qi</creatorcontrib><creatorcontrib>Chengcheng Xiang</creatorcontrib><creatorcontrib>Ruhui Ma</creatorcontrib><creatorcontrib>Jian Li</creatorcontrib><creatorcontrib>Haibing Guan</creatorcontrib><creatorcontrib>Wei, David S. L.</creatorcontrib><title>ForenVisor: A Tool for Acquiring and Preserving Reliable Data in Cloud Live Forensics</title><title>IEEE transactions on cloud computing</title><addtitle>TCC</addtitle><description>Live forensics is an important technique in cloud security but is facing the challenge of reliability. Most of the live forensic tools in cloud computing run either in the target Operating System (OS), or as an extra hypervisor. The tools in the target OS are not reliable, since they might be deceived by the compromised OS. Furthermore, traditional general purpose hypervisors are vulnerable due to their huge code size. However, some modules of a general purpose hypervisor, such as device drivers, are indeed unnecessary for forensics. In this paper, we propose a special purpose hypervisor, called ForenVisor, which is dedicated to reliable live forensics. The reliability is improved in three ways: reducing Trusted Computing Base (TCB) size by leveraging a lightweight architecture, collecting evidence directly from the hardware, and protecting the evidence and other sensitive files with Filesafe module. We have implemented a proof-of-concept prototype on the Windows platform, which can acquire the process data, raw memory, and I/O data, such as keystrokes and network traffic. Furthermore, we evaluate ForenVisor in terms of code size, functionality, and performance. The experiment results show that ForenVisor has a relatively small TCB size of about 13 KLOC, and only causes less than 10 percent performance reduction to the target system. In particular, our experiments verify that ForenVisor can guarantee that the protected files remain untampered, even when the guest OS is compromised by viruses, such as `ILOVEYOU' and Worm.WhBoy. Also, our system can be loaded as a hypervisor without needing to pause the target OS. This allows it to not only avoid destructing but also to gather the live evidence of the target OS. We also posted the source code of ForenVisor on Github.</description><subject>Cloud computing</subject><subject>file protection</subject><subject>Forensics</subject><subject>Hardware</subject><subject>io monitor</subject><subject>Live forensics</subject><subject>Performance evaluation</subject><subject>Reliability</subject><subject>Virtual machine monitors</subject><subject>Virtualization</subject><issn>2168-7161</issn><issn>2168-7161</issn><issn>2372-0018</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2017</creationdate><recordtype>article</recordtype><recordid>eNpNkEFLw0AQhRdRsNTeBS_7B1JnNrvZxFuJtgoFRaLXsMlOZCVmdbct-O9NbRHn8maY997hY-wSYY4IxXVVlnMBmM2FSpUo1AmbCMzyRGOGp__2czaL8R3GyRUWWEzYy9IHGl5d9OGGL3jlfc87H_ii_dq64IY3bgbLnwJFCrv9-Uy9M01P_NZsDHcDL3u_tXztdsR_u6Jr4wU760wfaXbUKauWd1V5n6wfVw_lYp20qcZNYqARYEBmmHcKZU4SWi2ssraDJmuszjtopVI5ypSUhYIoNaYTCFqOv3TK4FDbBh9joK7-DO7DhO8aod6DqUcw9R5MfQQzRq4OEUdEf3YtBWS5Tn8AzgVd7w</recordid><startdate>201707</startdate><enddate>201707</enddate><creator>Zhengwei Qi</creator><creator>Chengcheng Xiang</creator><creator>Ruhui Ma</creator><creator>Jian Li</creator><creator>Haibing Guan</creator><creator>Wei, David S. L.</creator><general>IEEE Computer Society</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope></search><sort><creationdate>201707</creationdate><title>ForenVisor: A Tool for Acquiring and Preserving Reliable Data in Cloud Live Forensics</title><author>Zhengwei Qi ; Chengcheng Xiang ; Ruhui Ma ; Jian Li ; Haibing Guan ; Wei, David S. L.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c371t-a0b20a04618f5148e40c72d5ddf0b6bd78f0c4558143e5d09ee3aaf2107478f3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2017</creationdate><topic>Cloud computing</topic><topic>file protection</topic><topic>Forensics</topic><topic>Hardware</topic><topic>io monitor</topic><topic>Live forensics</topic><topic>Performance evaluation</topic><topic>Reliability</topic><topic>Virtual machine monitors</topic><topic>Virtualization</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Zhengwei Qi</creatorcontrib><creatorcontrib>Chengcheng Xiang</creatorcontrib><creatorcontrib>Ruhui Ma</creatorcontrib><creatorcontrib>Jian Li</creatorcontrib><creatorcontrib>Haibing Guan</creatorcontrib><creatorcontrib>Wei, David S. L.</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998–Present</collection><collection>IEEE Electronic Library Online</collection><collection>CrossRef</collection><jtitle>IEEE transactions on cloud computing</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Zhengwei Qi</au><au>Chengcheng Xiang</au><au>Ruhui Ma</au><au>Jian Li</au><au>Haibing Guan</au><au>Wei, David S. L.</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>ForenVisor: A Tool for Acquiring and Preserving Reliable Data in Cloud Live Forensics</atitle><jtitle>IEEE transactions on cloud computing</jtitle><stitle>TCC</stitle><date>2017-07</date><risdate>2017</risdate><volume>5</volume><issue>3</issue><spage>443</spage><epage>456</epage><pages>443-456</pages><issn>2168-7161</issn><eissn>2168-7161</eissn><eissn>2372-0018</eissn><coden>ITCCF6</coden><abstract>Live forensics is an important technique in cloud security but is facing the challenge of reliability. Most of the live forensic tools in cloud computing run either in the target Operating System (OS), or as an extra hypervisor. The tools in the target OS are not reliable, since they might be deceived by the compromised OS. Furthermore, traditional general purpose hypervisors are vulnerable due to their huge code size. However, some modules of a general purpose hypervisor, such as device drivers, are indeed unnecessary for forensics. In this paper, we propose a special purpose hypervisor, called ForenVisor, which is dedicated to reliable live forensics. The reliability is improved in three ways: reducing Trusted Computing Base (TCB) size by leveraging a lightweight architecture, collecting evidence directly from the hardware, and protecting the evidence and other sensitive files with Filesafe module. We have implemented a proof-of-concept prototype on the Windows platform, which can acquire the process data, raw memory, and I/O data, such as keystrokes and network traffic. Furthermore, we evaluate ForenVisor in terms of code size, functionality, and performance. The experiment results show that ForenVisor has a relatively small TCB size of about 13 KLOC, and only causes less than 10 percent performance reduction to the target system. In particular, our experiments verify that ForenVisor can guarantee that the protected files remain untampered, even when the guest OS is compromised by viruses, such as `ILOVEYOU' and Worm.WhBoy. Also, our system can be loaded as a hypervisor without needing to pause the target OS. This allows it to not only avoid destructing but also to gather the live evidence of the target OS. We also posted the source code of ForenVisor on Github.</abstract><pub>IEEE Computer Society</pub><doi>10.1109/TCC.2016.2535295</doi><tpages>14</tpages><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 2168-7161
ispartof IEEE transactions on cloud computing, 2017-07, Vol.5 (3), p.443-456
issn 2168-7161
2168-7161
2372-0018
language eng
recordid cdi_ieee_primary_7420687
source IEEE Xplore (Online service)
subjects Cloud computing
file protection
Forensics
Hardware
io monitor
Live forensics
Performance evaluation
Reliability
Virtual machine monitors
Virtualization
title ForenVisor: A Tool for Acquiring and Preserving Reliable Data in Cloud Live Forensics
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-24T19%3A42%3A15IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-crossref_ieee_&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=ForenVisor:%20A%20Tool%20for%20Acquiring%20and%20Preserving%20Reliable%20Data%20in%20Cloud%20Live%20Forensics&rft.jtitle=IEEE%20transactions%20on%20cloud%20computing&rft.au=Zhengwei%20Qi&rft.date=2017-07&rft.volume=5&rft.issue=3&rft.spage=443&rft.epage=456&rft.pages=443-456&rft.issn=2168-7161&rft.eissn=2168-7161&rft.coden=ITCCF6&rft_id=info:doi/10.1109/TCC.2016.2535295&rft_dat=%3Ccrossref_ieee_%3E10_1109_TCC_2016_2535295%3C/crossref_ieee_%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c371t-a0b20a04618f5148e40c72d5ddf0b6bd78f0c4558143e5d09ee3aaf2107478f3%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=7420687&rfr_iscdi=true