Brian Hay

Forensics examination of volatile system data using virtual introspection

While static examination of computer systems is an important part of many digital forensics investigations, there are often important system properties present only in volatile memory that cannot be effectively recovered using static analysis techniques, such as offline hard disk acquisition and analysis. An alternative approach, involving the live analysis of target systems to uncover this volatile data, presents significant risks and challenges to forensic investigators as observation techniques are generally intrusive and can affect the system being observed. This paper provides a discussion of live digital forensics analysis through virtual introspection and presents a suite of virtual introspection tools developed for Xen (VIX tools). The VIX tools suite can be used for unobtrusive digital forensic examination of volatile system data in virtual machines, and addresses a key research area identified in the virtualization in digital forensics research agenda [22].

Storm Clouds Rising: Security Challenges for IaaS Cloud Computing

Securing our digital assets has become increasingly challenging as our reliance on rapidly evolving technologies continues to grow. The security perimeter in computing has changed from a well-defined boundary that was relatively easy to identify and defend, to an elastic boundary that is constantly changing and for which the threats are constantly evolving. This paper investigates the complex security challenges that are introduced by the trend towards Infrastructure as a Service (IaaS)-based cloud computing. While not exhaustive, it identifies some technological and legal issues and concerns from the perspectives of identified stakeholders, and suggests some future directions for security research and development to help advance the security posture of this technology.

Virtual Machine Introspection: Observation or Interference?

As virtualization becomes increasingly mainstream, virtual machine introspection techniques and tools are evolving to monitor VM behavior. A survey of existing approaches highlights key requirements, which are addressed by a new tool suite for the Xen VM monitoring system.

Digital Forensics: Defining a Research Agenda

While many fields have well-defined research agendas, evolution of the field of digital forensics has been largely driven by practitioners in the field. As a result, the majority of the tools and practice have been developed in response to a diverse set of specific threats or scenarios, rather than as the result of a research and development plan. In June, 2008 a group of digital forensics researchers, educators and practitioners met as a working group at the Colloquium for Information Systems Security Education (CISSE 2008) to brainstorm ideas for the development of a research, education, and outreach agenda for Digital Forensics. This paper outlines some of the ideas generated and new research categories and areas identified at this meeting, as well as a plan for future development of a formalized research agenda.

Investigating the Implications of Virtual Machine Introspection for Digital Forensics

Researchers and practitioners in computer forensics currently must base their analysis on information that is either incomplete or produced by tools that may themselves be compromised as a result of the intrusion. Complicating these issues are the techniques employed by the investigators themselves. If the system is quiescent when examined, most of the information in memory has been lost. If the system is active, the kernel and programs used by the forensic investigators are likely to influence the results and as such are themselves suspect. Using virtual machines and a technique called virtual machine introspection can help overcome these limits, but it introduces its own research challenges. Recent developments in virtual machine introspection have led to the identification of four initial priority research areas in virtual machine introspection including virtual machine introspection tool development, applications of virtual machine introspection to non-quiescent virtual machines, virtual machine introspection covert operations, and virtual machine introspection detection.

Virtualization and Digital Forensics: A Research and Education Agenda

The application of virtualization software and techniques in information technology research and education has provided a foundational environment to advance the state-of-the-art in research and education in many related areas. Commercial and open source virtualization products are being used by researchers and educators to create a wide variety of virtual environments. These virtual environments facilitate systems design and development and product development as well as the testing and modeling of production and preproduction systems. As the capabilities, functionality, and stability of these products have evolved, the use of virtualization has expanded, necessitating the identification of new research areas to investigate the impacts of virtualization on digital forensics. In February 2007, a group of digital forensics researchers, educators, and practitioners gathered at the National Center for Forensic Science at the University of Central Florida for the 2007 Workshop on Virtualization in Digital Forensics to discuss these issues and develop a research and education agenda for virtualization and digital forensics. This article outlines some of the ideas generated and new research categories and areas identified at this meeting.

Automatic transformations between geoscience standards using XML

As models and analysis tools for geoscience applications become increasingly complex, they allow researchers to manipulate larger, richer, and more finely-grained datasets, often gathered from diverse heterogeneous sources. These complex models and analysis tools provide scientists with opportunities to investigate phenomena in much greater depth, but this additional power is not without cost. Often this cost is expressed in the time required on the part of the researcher to identify, gather, and transform the data necessary to satisfy the demands of their data-intensive computational tools. In addition, it can be difficult to extract all of the meaningful contents of the datasets when metadata is missing, nonstandardized, or in a format unfamiliar to or incompatible with the user application or analysis tool. The evolution of XML standards has simplified this problem by providing domain-specific methodologies for creating self-describing datasets. The evolution of XML standards has also presented the challenge of choosing the best standard for each scientific domain and associated community of interest (COI); however, the process of selecting or creating a domain-specific XML data format standard can be extremely contentious. In addition, many researchers require information compilation from diverse datasets that are stored using differing standards. This research effort presents a mechanism for automating transformations between scientific standards using XML with a focus on the application of the technology to the diverse geoscience XML standards while maintaining the integrity associated with the datasets. This technological capability minimizes the impact of committing to a particular XML standard by providing the flexibility to transform data between standards either to update or change the standard, to bring datasets into conformance for a particular application or data portal, or to transform data to increase its usability for new COIs while maintaining data integrity. ility for new COIs while maintaining data security standards.

Using Virtualization to Create and Deploy Computer Security Lab Exercises

Providing computer security laboratory exercises enables students to experience and understand the underlying concepts associated with computer security, but there are many impediments to the creation of realistic exercises of this type. Virtualization provides a mechanism for creating and deploying authentic computer security laboratory experiences for students while minimizing the associated configuration time and reducing the associated hardware requirements. This paper provides a justification for using virtualization to create and deploy computer security lab exercises by presenting and discussing examples of applied lab exercises that have been successfully used at two leading computer security programs. The application of virtualization mitigates many of the challenges encountered in using traditional computer laboratory environments for information assurance educational scenarios.

Replicating and Sharing Computer Security Laboratory Environments

Many institutions are currently investigating the feasibility of creating Computer Security Laboratory environments for their researchers and students. This paper compares four of the current isolated and remote access labs that institutions could use as models to minimize the effort required to create or access a working computer security lab without investing the years of effort that the original creators did. Laboratory attributes investigated include scalability, access capabilities, teaching environments, time requirements, and cost requirements. Additionally a discussion of the challenges associated with each environment is presented. Finally, a model for sharing remote access laboratory capabilities is delineated as an alternative for programs for which the creation of a local remote access lab would not be cost effective and some future investigation areas are identified.

Are Your Papers in Order? Developing and Enforcing Multi-tenancy and Migration Policies in the Cloud

As cloud usage continues to increase, new issues with respect to managing and securing resources in the cloud are becoming more apparent. While some people may believe that security and privacy in the cloud can be addressed without the consumer considering the physical location and internal structure of the cloud, we show that this is clearly not the case. Furthermore, we describe a mechanism by which cloud consumers can inform cloud providers of their requirements in a manner that still allows the cloud to remain dynamic and flexible. Specifically, this paper explores the analogy between human migration in the real world and virtual machine migration in an IaaS cloud environment. It addresses issues such as jurisdictional control, zone evolution, migration, and instantiation based on an examination of these analogous real-world scenarios and their applicability to the cloud.