XenServer-platform-oriented Virtual machine memory evidence collection method

A memory forensics, virtual machine technology, applied in the field of virtual machine memory forensics, can solve the problems of difficult memory analysis and complex operations.

Active Publication Date: 2018-01-23
SHANDONG COMP SCI CENTNAT SUPERCOMP CENT IN JINAN
View PDF3 Cites 7 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0019] (3) During the analysis, the operation is more complicated, and the version information of the virtual machine operating system needs to be added to be able to carry out
[0024] These address translation problems bring difficulties to memory analysis under Xen / XenServer

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • XenServer-platform-oriented Virtual machine memory evidence collection method
  • XenServer-platform-oriented Virtual machine memory evidence collection method
  • XenServer-platform-oriented Virtual machine memory evidence collection method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0119] It should be pointed out that the following detailed description is exemplary and intended to provide further explanation to the present application. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.

[0120] The concepts and technical terms involved mainly include virtual machines, XenServer, VMCS and EPT.

[0121] A virtual machine (Virtual Machine, VM) refers to multiple independent virtual hardware systems that are simulated on a hardware platform and have complete hardware system functions, running in a completely isolated environment, and can run on each virtual hardware system. Different operating systems, namely the guest operating system (Guest OS). These guest operating systems access actual physical resources through a virtual machine monitor (Virtual Machine Monitor, VMM). domain, interpreted as a domain in Chinese; vcp...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a XenServer-platform-oriented virtual machine memory evidence collection method. The method comprises the steps of obtaining physical memory information of a host computer as amemory mirror image file; obtaining a kernel symbol table file in the host computer; obtaining a physical address of vmcoreinfo_xen content; obtaining the vmcoreinfo_xen content according to the physical address, and parsing virtual addresses of domain_list and pgd_l4 of kernel symbols; converting the virtual address of pgd_l4 into a physical address; obtaining a structure body address; obtainingstructure bodies corresponding to virtual machines according to relationshipsamong structure bodies; achieving address conversion of the physical addresses of the virtual machines; judging versions of virtual machine operating systems after the content of physical memories of the virtual machines is obtained; analyzing the physical memories by using corresponding memory analysis methods accordingto the different versions of the virtual machine operating systems after the virtual machine operating systems are determined.

Description

technical field [0001] The invention relates to a virtual machine memory forensics method for a XenServer platform. Background technique [0002] Compared with traditional file system-based forensics, memory forensics research started relatively late, starting with the memory forensic analysis challenge for Windows systems initiated by the famous DFRWS (Digital Forensic Research Workshop, Digital Forensic Research Working Group) in the summer of 2005 to encourage Research on memory forensics analysis and development of related forensic tools. In 2008, DFRWS launched a memory forensic analysis challenge for Linux systems. Afterwards, almost every year at the DFRWS conference there was a discussion topic on memory forensics analysis. In addition, well-known hacker conferences (Black Hat, Def Con, ShmooCon, etc.) have also held memory forensic analysis seminars since 2006. [0003] Industry and government are equally interested in memory forensic analysis research. The RCFL...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F9/455G06F9/50
Inventor 张淑慧王连海刘广起杨淑棉徐淑奖韩晓晖邹丰义
Owner SHANDONG COMP SCI CENTNAT SUPERCOMP CENT IN JINAN
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap