START Conference Manager    

Simulating Windows-Based Cyber Attacks Using Live Virtual Machine Introspection

Dustyn Dodge and Barry Mullins

The 2010 Summer Computer Simulation Conference (SCSC 10)
Ottawa, Canada, July 11-14, 2010


Summary

Traditional static memory analysis has been proven as a valuable technique for data forensics. Investigators are able to locate and extract valuable information from a system’s storage media. However, in order to prevent observer effects, the system is typically halted causing the loss of important dynamic system data. As a result, live analysis techniques have emerged to complement static analysis. In this paper, a compiled memory analysis tool for virtualization (CMAT-V) is presented as a virtual machine introspection (VMI) utility to conduct live analysis during simulated cyber attacks. CMAT-V leverages static memory dump analysis techniques to provide live system state awareness. CMAT-V parses an arbitrary memory dump from a simulated operating system (OS) to extract user information, network usage, active process information and registry files. Unlike some VMI applications, CMAT-V bridges the semantic gap using derivation techniques. This provides increased operating system compatibility for current and future operating systems. This research will evaluate the usefulness of CMAT-V as a situational awareness tool during simulated cyber attacks, measure performance of CMAT-V functions and determine the impact of CMAT-V on overall system performance.


START Conference Manager (V2.56.8 - Rev. 1182)