(Short Paper) Evidence Collection and Preservation System with Virtual Machine Monitoring

Toru Nakamura; Hiroshi Ito; Shinsaku Kiyomoto; Toshihiro Yamauchi

doi:10.1007/978-3-030-85987-9_4

(Short Paper) Evidence Collection and Preservation System with Virtual Machine Monitoring

Toru Nakamura, Hiroshi Ito, Shinsaku Kiyomoto, Toshihiro Yamauchi

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

In a system audit and verification, it is important to securely collect and preserve evidence of execution environments, execution processes, and program execution results. Evidence-based verification of program processes ensures their authenticity; for example, the processes include no altered/infected program library. This paper proposes a solution for collection of evidence on program libraries based on Virtual Machine Monitor (VMM). The solution can solve semantic gap by obtaining library file path names. This paper also shows a way to obtain hash values of library files from a guest OS. Furthermore, this paper provides examples of evidence on program execution and the overhead of the solution.

Original language	English
Title of host publication	Advances in Information and Computer Security - 16th International Workshop on Security, IWSEC 2021, Proceedings
Editors	Toru Nakanishi, Ryo Nojima
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	64-73
Number of pages	10
ISBN (Print)	9783030859862
DOIs	https://doi.org/10.1007/978-3-030-85987-9_4
Publication status	Published - 2021
Event	16th International Workshop on Security, IWSEC 2021 - Virtual, Online Duration: Sep 8 2021 → Sep 10 2021

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	12835 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	16th International Workshop on Security, IWSEC 2021
City	Virtual, Online
Period	9/8/21 → 9/10/21

Keywords

Forensics
OS security
Virtual Machine Introspection

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-030-85987-9_4

Cite this

Nakamura, T., Ito, H., Kiyomoto, S., & Yamauchi, T. (2021). (Short Paper) Evidence Collection and Preservation System with Virtual Machine Monitoring. In T. Nakanishi, & R. Nojima (Eds.), Advances in Information and Computer Security - 16th International Workshop on Security, IWSEC 2021, Proceedings (pp. 64-73). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12835 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-030-85987-9_4

(Short Paper) Evidence Collection and Preservation System with Virtual Machine Monitoring. / Nakamura, Toru; Ito, Hiroshi; Kiyomoto, Shinsaku; Yamauchi, Toshihiro.

Advances in Information and Computer Security - 16th International Workshop on Security, IWSEC 2021, Proceedings. ed. / Toru Nakanishi; Ryo Nojima. Springer Science and Business Media Deutschland GmbH, 2021. p. 64-73 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12835 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Nakamura, T, Ito, H, Kiyomoto, S & Yamauchi, T 2021, (Short Paper) Evidence Collection and Preservation System with Virtual Machine Monitoring. in T Nakanishi & R Nojima (eds), Advances in Information and Computer Security - 16th International Workshop on Security, IWSEC 2021, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12835 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 64-73, 16th International Workshop on Security, IWSEC 2021, Virtual, Online, 9/8/21. https://doi.org/10.1007/978-3-030-85987-9_4

Nakamura T, Ito H, Kiyomoto S, Yamauchi T. (Short Paper) Evidence Collection and Preservation System with Virtual Machine Monitoring. In Nakanishi T, Nojima R, editors, Advances in Information and Computer Security - 16th International Workshop on Security, IWSEC 2021, Proceedings. Springer Science and Business Media Deutschland GmbH. 2021. p. 64-73. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-030-85987-9_4

Nakamura, Toru ; Ito, Hiroshi ; Kiyomoto, Shinsaku ; Yamauchi, Toshihiro. / (Short Paper) Evidence Collection and Preservation System with Virtual Machine Monitoring. Advances in Information and Computer Security - 16th International Workshop on Security, IWSEC 2021, Proceedings. editor / Toru Nakanishi ; Ryo Nojima. Springer Science and Business Media Deutschland GmbH, 2021. pp. 64-73 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{fa5ef196e5f44c31aefe22f7185188c7,

title = "(Short Paper) Evidence Collection and Preservation System with Virtual Machine Monitoring",

abstract = "In a system audit and verification, it is important to securely collect and preserve evidence of execution environments, execution processes, and program execution results. Evidence-based verification of program processes ensures their authenticity; for example, the processes include no altered/infected program library. This paper proposes a solution for collection of evidence on program libraries based on Virtual Machine Monitor (VMM). The solution can solve semantic gap by obtaining library file path names. This paper also shows a way to obtain hash values of library files from a guest OS. Furthermore, this paper provides examples of evidence on program execution and the overhead of the solution.",

keywords = "Forensics, OS security, Virtual Machine Introspection",

author = "Toru Nakamura and Hiroshi Ito and Shinsaku Kiyomoto and Toshihiro Yamauchi",

note = "Funding Information: This work was partially supported by JSPS KAKENHI Grant Numbers 19H04109 and 19H05579. Publisher Copyright: {\textcopyright} 2021, Springer Nature Switzerland AG.; 16th International Workshop on Security, IWSEC 2021 ; Conference date: 08-09-2021 Through 10-09-2021",

year = "2021",

doi = "10.1007/978-3-030-85987-9_4",

language = "English",

isbn = "9783030859862",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "64--73",

editor = "Toru Nakanishi and Ryo Nojima",

booktitle = "Advances in Information and Computer Security - 16th International Workshop on Security, IWSEC 2021, Proceedings",

address = "Germany",

}

TY - GEN

T1 - (Short Paper) Evidence Collection and Preservation System with Virtual Machine Monitoring

AU - Nakamura, Toru

AU - Ito, Hiroshi

AU - Kiyomoto, Shinsaku

AU - Yamauchi, Toshihiro

PY - 2021

Y1 - 2021

N2 - In a system audit and verification, it is important to securely collect and preserve evidence of execution environments, execution processes, and program execution results. Evidence-based verification of program processes ensures their authenticity; for example, the processes include no altered/infected program library. This paper proposes a solution for collection of evidence on program libraries based on Virtual Machine Monitor (VMM). The solution can solve semantic gap by obtaining library file path names. This paper also shows a way to obtain hash values of library files from a guest OS. Furthermore, this paper provides examples of evidence on program execution and the overhead of the solution.

AB - In a system audit and verification, it is important to securely collect and preserve evidence of execution environments, execution processes, and program execution results. Evidence-based verification of program processes ensures their authenticity; for example, the processes include no altered/infected program library. This paper proposes a solution for collection of evidence on program libraries based on Virtual Machine Monitor (VMM). The solution can solve semantic gap by obtaining library file path names. This paper also shows a way to obtain hash values of library files from a guest OS. Furthermore, this paper provides examples of evidence on program execution and the overhead of the solution.

KW - Forensics

KW - OS security

KW - Virtual Machine Introspection

UR - http://www.scopus.com/inward/record.url?scp=85115234297&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85115234297&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-85987-9_4

DO - 10.1007/978-3-030-85987-9_4

M3 - Conference contribution

AN - SCOPUS:85115234297

SN - 9783030859862

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 64

EP - 73

BT - Advances in Information and Computer Security - 16th International Workshop on Security, IWSEC 2021, Proceedings

A2 - Nakanishi, Toru

A2 - Nojima, Ryo

PB - Springer Science and Business Media Deutschland GmbH

T2 - 16th International Workshop on Security, IWSEC 2021

Y2 - 8 September 2021 through 10 September 2021

ER -

(Short Paper) Evidence Collection and Preservation System with Virtual Machine Monitoring

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this