Memory Forensics Using Virtual Machine Introspection for Cloud Computing

Presented at Black Hat USA 2016, Aug. 3, 2016, 11:30 a.m. (25 minutes)

The relocation of systems and services into cloud environments is on the rise. Because of this trend users lose direct control over their machines and depend on the offered services from cloud providers. These services are especially in the field of digital forensics very rudimentary. The possibilities for users to analyze their virtual machines with forensic methods are very limited. In the underlying research of this talk a practical approach has been developed that gives the user additional capabilities in the field of forensic investigations. The solution focuses on a memory forensic service offering. To reach this goal, a management solution for cloud environments has been extended with memory forensic services. Self-developed memory forensic services, which are installed on each cloud node and are managed through the cloud management component, are the basis for this solution. Forensic data is gained via virtual machine introspection techniques. Compared to other approaches it is possible to get trustworthy data without influencing the running system. Additionally, a general overview about the underlying technologies is provided and the pros and cons are discussed. The solution approach is discussed in a generic way and practically implemented in a prototype. In this prototype OpenNebula is used for managing the cloud infrastructure in combination with Xen as virtualization component, LibVMI as Virtual Machine Introspection library and Volatility as forensic tool.

Presenters:

• Tobias Zillner - Zillner IT-Security
  Tobias Zillner runs his own security consulting company and works as independent researcher on several security projects. He conducts information systems audits in order to assess compliance to relevant internal and external requirements and to provide a customers management with an independent opinion regarding the effectiveness, and efficiency of IT systems. Furthermore, Tobias evaluates and assures security of Information Technology by performing webapplication and web service penetration tests, source code analysis as well as network and infrastructure penetration tests. He has a Bachelor degree in Computer and Media Security, a Master degree in IT Security and a Master degree in Information Systems Management. Tobias expertise also applies to the IT Governance, Risk and Compliance domains. He also holds a wide range of certifications, like CISSP, CISA, QSA, CEH, ITIL or COBIT.

Links:

• https://www.blackhat.com/us-16/briefings.html#memory-forensics-using-virtual-machine-introspection-for-cloud-computing
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2016/Memory Forensics Using Virtual Machine Introspection for Cloud Computing.mp4
• https://www.youtube.com/watch?v=ZqE07ewJeMI
• https://www.blackhat.com/docs/us-16/materials/us-16-Zillner-Memory-Forensics-Using-VMI-For-Cloud-Computing.pdf

Similar Presentations:

• THOTCON 0x1 (2010) / Forensic Fail
• 31C3 (2014) / Virtual Machine Introspection: From the Outside Looking In
• Black Hat USA 2013 / Malicious File for Exploiting Forensic Software