Scalable VM instrumentation and introspection at an in-depth level requires fast handling of events, as well as direct access to VM state. The current challenge is most hypervisors do not expose a useful application programming interface (API) at a sufficient level to do transparent, fine-grained and customizable introspection. The problems of storage and collection of actionable data are exhausting. Hypervisors can covertly monitor, introspect and interact with the guest in a transparent fashion. This is not the case when using virtualized technologies. Traditional forensic techniques, based on assumptions that the filesystem was directly interacting with the hardware through an abstraction, afforded the forensic practitioner the assumption that there was nothing controlling the application below the filesystem. The concept of a VM serviced by more » a lightweight hypervisor is a relatively new paradigm for forensic practitioners. Such a capability is required to take advantage of the hypervisor as an instrumentation platform and to integrate that data with more traditional collection mechanisms. We developed a method by which an introspection application may be coupled with a hypervisor to “reach into” the VM with minimal intrusiveness to collect data critical to the reconstruction of events, files, and operations. As systems and devices become virtualized and deployed in the cloud, the hypervisor becomes an increasingly appropriate place to collect performance data, system state, system landscape, function calls, transaction traces, and other characteristics.
0 kommentar(er)
