Hypervisor memory acquisition for ARM

Raz Ben Yehuda; Erez Shlingbaum; Yuval Gershfeld; Shaked Tayouri; Nezer Jacob Zaidenberg

doi:10.1016/j.fsidi.2020.301106

Hypervisor memory acquisition for ARM

Raz Ben Yehuda, Erez Shlingbaum, Yuval Gershfeld, Shaked Tayouri, Nezer Jacob Zaidenberg

Research output: Contribution to journal › Article › peer-review

Abstract

Cyber forensics use memory acquisition in advanced forensics and malware analysis. We propose a hypervisor based memory acquisition tool. Our implementation extends the volatility memory forensics framework by reducing the processor's consumption, solves the in-coherency problem in the memory snapshots and mitigates the pressure of the acquisition on the network and the disk. We provide benchmarks and evaluation.

Original language	English
Article number	301106
Journal	Forensic Science International: Digital Investigation
Volume	37
DOIs	https://doi.org/10.1016/j.fsidi.2020.301106
State	Published - Jun 2021
Externally published	Yes

Keywords

ARM
Hypervisor
Linux
Real time
Virtualization

All Science Journal Classification (ASJC) codes

Computer Science Applications
Information Systems
Pathology and Forensic Medicine
Law
Medical Laboratory Technology

Access to Document

10.1016/j.fsidi.2020.301106

Cite this

@article{301c7e2a0f7445a9886de24b0ed025cc,

title = "Hypervisor memory acquisition for ARM",

abstract = "Cyber forensics use memory acquisition in advanced forensics and malware analysis. We propose a hypervisor based memory acquisition tool. Our implementation extends the volatility memory forensics framework by reducing the processor's consumption, solves the in-coherency problem in the memory snapshots and mitigates the pressure of the acquisition on the network and the disk. We provide benchmarks and evaluation.",

keywords = "ARM, Hypervisor, Linux, Real time, Virtualization",

author = "Yehuda, {Raz Ben} and Erez Shlingbaum and Yuval Gershfeld and Shaked Tayouri and Zaidenberg, {Nezer Jacob}",

note = "Publisher Copyright: {\textcopyright} 2021 Elsevier Ltd",

year = "2021",

month = jun,

doi = "10.1016/j.fsidi.2020.301106",

language = "الإنجليزيّة",

volume = "37",

journal = "Forensic Science International: Digital Investigation",

issn = "2666-2825",

publisher = "Elsevier Ltd.",

}

TY - JOUR

T1 - Hypervisor memory acquisition for ARM

AU - Yehuda, Raz Ben

AU - Shlingbaum, Erez

AU - Gershfeld, Yuval

AU - Tayouri, Shaked

AU - Zaidenberg, Nezer Jacob

PY - 2021/6

Y1 - 2021/6

N2 - Cyber forensics use memory acquisition in advanced forensics and malware analysis. We propose a hypervisor based memory acquisition tool. Our implementation extends the volatility memory forensics framework by reducing the processor's consumption, solves the in-coherency problem in the memory snapshots and mitigates the pressure of the acquisition on the network and the disk. We provide benchmarks and evaluation.

AB - Cyber forensics use memory acquisition in advanced forensics and malware analysis. We propose a hypervisor based memory acquisition tool. Our implementation extends the volatility memory forensics framework by reducing the processor's consumption, solves the in-coherency problem in the memory snapshots and mitigates the pressure of the acquisition on the network and the disk. We provide benchmarks and evaluation.

KW - ARM

KW - Hypervisor

KW - Linux

KW - Real time

KW - Virtualization

UR - http://www.scopus.com/inward/record.url?scp=85102968441&partnerID=8YFLogxK

U2 - 10.1016/j.fsidi.2020.301106

DO - 10.1016/j.fsidi.2020.301106

M3 - مقالة

SN - 2666-2825

VL - 37

JO - Forensic Science International: Digital Investigation

JF - Forensic Science International: Digital Investigation

M1 - 301106

ER -

Hypervisor memory acquisition for ARM

Abstract

Keywords

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Cite this