Vis: Virtualization enhanced live forensics acquisition for native system

摘要

Current live acquisition systems can obtain memory content of a running system, but they either fail to provide accurate native system physical memory acquisition at the given time point or require suspending the machine and altering the execution environment drastically. To address this issue, we propose Vis, a lightweight virtualization approach to provide accurate retrieval of physical memory content without disturbing the execution of the target native system. Our experimental results indicate that Vis is capable of reliably retrieving an accurate system image. Moreover, Vis accomplishes live acquisition in around 100 s, where previous remote live acquisition tools take hours and static acquisition takes days. On average, the performance reduction for the target system is 9.62%.