Visible to the public Biblio

Filters: Keyword is introspection  [Clear All Filters]
2021-07-08
Dovgalyuk, Pavel, Vasiliev, Ivan, Fursova, Natalia, Dmitriev, Denis, Abakumov, Mikhail, Makarov, Vladimir.  2020.  Non-intrusive Virtual Machine Analysis and Reverse Debugging with SWAT. 2020 IEEE 20th International Conference on Software Quality, Reliability and Security (QRS). :196—203.
This paper presents SWAT - System-Wide Analysis Toolkit. It is based on open source emulation and debugging projects and implements the approaches for non-intrusive system-wide analysis and debugging: lightweight OS-agnostic virtual machine introspection, full system execution replay, non-intrusive debugging with WinDbg, and full system reverse debugging. These features are based on novel non-intrusive introspection and reverse debugging methods. They are useful for stealth debugging and analysis of the platforms with custom kernels. SWAT includes multi-platform emulator QEMU with additional instrumentation and debugging features, GUI for convenient QEMU setup and execution, QEMU plugin for non-intrusive introspection, and modified version of GDB. Our toolkit may be useful for the developers of the virtual platforms, emulators, and firmwares/drivers/operating systems. Virtual machine intospection approach does not require loading any guest agents and source code of the OS. Therefore it may be applied to ROM-based guest systems and enables using of record/replay of the system execution. This paper includes the description of SWAT components, analysis methods, and some SWAT use cases.
2017-05-18
Chan, Ellick, Venkataraman, Shivaram, David, Francis, Chaugule, Amey, Campbell, Roy.  2010.  Forenscope: A Framework for Live Forensics. Proceedings of the 26th Annual Computer Security Applications Conference. :307–316.

Current post-mortem cyber-forensic techniques may cause significant disruption to the evidence gathering process by breaking active network connections and unmounting encrypted disks. Although newer live forensic analysis tools can preserve active state, they may taint evidence by leaving footprints in memory. To help address these concerns we present Forenscope, a framework that allows an investigator to examine the state of an active system without the effects of taint or forensic blurriness caused by analyzing a running system. We show how Forenscope can fit into accepted workflows to improve the evidence gathering process. Forenscope preserves the state of the running system and allows running processes, open files, encrypted filesystems and open network sockets to persist during the analysis process. Forenscope has been tested on live systems to show that it does not operationally disrupt critical processes and that it can perform an analysis in less than 15 seconds while using only 125 KB of memory. We show that Forenscope can detect stealth rootkits, neutralize threats and expedite the investigation process by finding evidence in memory.