Methods, systems, and computer readable media for efficient computer forensic analysis and data access control
Saved in:
| Title: | Methods, systems, and computer readable media for efficient computer forensic analysis and data access control |
|---|---|
| Patent Number: | 9,721,089 |
| Publication Date: | August 01, 2017 |
| Appl. No: | 14/115094 |
| Application Filed: | May 07, 2012 |
| Abstract: | According to one aspect, the subject matter described herein includes a method for efficient computer forensic analysis and data access control. The method includes steps occurring from within a virtualization layer separate from a guest operating system. The steps include monitoring disk accesses by the guest operating system to a region of interest on a disk from which data is copied into memory. The steps also include tracking subsequent accesses to the memory resident data where the memory resident data is copied from its initial location to other memory locations or over a network. The steps further include linking operations made by the guest operating system associated with the disk accesses with operations made by the guest operating system associated with the memory accessed. |
| Inventors: | Krishnan, Srinivas (Carrboro, NC, US); Monrose, Fabian (Chapel Hill, NC, US); Snow, Kevin (Cary, NC, US) |
| Assignees: | The University of North Carolina at Chapel Hill (Chapel Hill, NC, US) |
| Claim: | 1. A method for efficient computer forensic analysis and data access control, the method comprising: from within a virtualization layer of a first computing system separate from a guest operating system executing on the first computing system: monitoring disk accesses by the guest operating system to a region of interest on a disk from which data is copied into memory; tracking subsequent accesses to memory resident data where the memory resident data is copied from its initial location to other memory locations or over a network; linking operations made by the guest operating system associated with the disk accesses with operations made by the guest operating system associated with the memory accesses, wherein the operations made by the guest operating system associated with the disk accesses include a file read operation and wherein linking the operations made by the guest operating system associated with the disk accesses with the operations associated with the memory accesses includes examining source and destination parameters associated with the file read operation to infer that the operations concern the same data; and selectively blocking accesses by the guest operating system to memory or disk locations containing data of interest. |
| Claim: | 2. The method of claim 1 wherein the virtualization layer comprises a hypervisor layer. |
| Claim: | 3. The method of claim 1 wherein monitoring disk accesses includes maintaining a watch list of virtual machine disk blocks containing data of interest and determining whether a disk access corresponds to any of the virtual machine blocks on the watch list. |
| Claim: | 4. The method of claim 3 wherein tracking subsequent accesses to the memory resident data includes, in response to determining that the disk access corresponds to a virtual machine disk block on the watch list, triggering a memory monitoring module located within the virtualization layer to monitor a physical page of memory into which blocks of data from the disk access are paged. |
| Claim: | 5. The method of claim 1 comprising maintaining a watch list of file system objects corresponding to data of interest and determining whether a file system object operation corresponds to any of the file system objects on the watch list. |
| Claim: | 6. The method of claim 1 wherein tracking subsequent accesses to the memory resident data includes, in response to the memory resident data being copied from its initial location to another memory resident location, adding the new memory resident location to a watch list and monitoring subsequent accesses to the new memory resident location using the watch list. |
| Claim: | 7. The method of claim 1 comprising identifying a codepage signature of a process making the memory accesses and comparing the codepage signature to stored codepage signatures to identify the process. |
| Claim: | 8. The method of claim 7 comprising creating the codepage signature for the process by recognizing shared and kernel code pages associated with the process and utilizing the codepage signature to selectively extract codepages that identify the process. |
| Claim: | 9. The method of claim 1 comprising selectively blocking or dropping packets associated with a network connection without examining the packets' contents. |
| Claim: | 10. A system for efficient computer forensic analysis and data access control, the system comprising: a virtualization layer of a first computing system separate from a guest operating system executing on the first computing system for virtualizing resources of the first computing system; a storage monitoring module located within the virtualization layer and for monitoring disk accesses by the guest operating system to a region of interest on a disk from which data is copied into memory; a memory monitoring module located within the virtualization layer for tracking subsequent accesses to memory resident data where the memory resident data is copied from its initial location to other memory locations or over a network; a system call monitoring module for linking operations made by the guest operating system associated with the disk accesses with operations made by the guest operating system associated with the memory accesses, wherein the operations made by the quest operating system associated with the disk accesses include a file read operation and wherein linking the operations made by the guest operating system associated with the disk accesses with the operations associated with the memory accesses includes examining source and destination parameters associated with the file read operation to infer that the operations concern the same data; and an enforcement module for selectively blocking accesses by the guest operating system to memory or disk locations containing data of interest, wherein each of the storage monitoring module, the memory monitoring module, the system call monitoring module, and the enforcement module is implemented using at least one hardware processor. |
| Claim: | 11. The system of claim 10 wherein the virtualization layer comprises a hypervisor layer. |
| Claim: | 12. The system of claim 10 wherein the storage monitoring module is configured to maintain a watch list of virtual machine disk blocks containing data of interest and determine whether a disk access corresponds to any of the virtual machine blocks on the watch list. |
| Claim: | 13. The system of claim 12 wherein the storage monitoring module is configured to, in response to determining that the disk access corresponds to a virtual machine disk block on the watch list, trigger the memory monitoring module to monitor a physical page of memory into which blocks of data from the disk access are paged. |
| Claim: | 14. The system of claim 10 wherein the storage monitoring module is configured to maintain a watch list of file system objects corresponding to data of interest and determine whether a file system object operation corresponds to any of the file system objects on the watch list. |
| Claim: | 15. The system of claim 10 wherein the memory monitoring module is configured to, in response to the memory resident data being copied from its initial location to another memory resident location, add the new memory resident location to a watch list and monitor subsequent accesses to the new memory resident location using the watch list. |
| Claim: | 16. The system of claim 10 wherein the memory monitoring module is configured to identify a codepage signature of a process making the memory accesses and to compare the codepage signature to stored codepage signatures to identify the process. |
| Claim: | 17. The system of claim 16 wherein the memory monitoring module is configured to create the codepage signature for the process by recognizing shared and kernel code pages associated with the process and utilize the codepage signature to selectively extract codepages that identify the process. |
| Claim: | 18. The system of claim 10 comprising a network monitoring module configured to, in response to a trigger from either the memory monitoring module or the system call monitoring module, selectively block or drop packets associated with a network connection. |
| Claim: | 19. A non-transitory computer readable medium having stored thereon executable instructions that when executed by a processor of a computer control the computer to perform steps comprising: from within a virtualization layer of a first computing system separate from a guest operating system executing on the first computing system: monitoring disk accesses by the guest operating system to a region of interest on a disk from which data is copied into memory; tracking subsequent accesses to the memory resident data where the memory resident data is copied from its initial location to other memory locations or over a network; linking operations made by the guest operating system associated with the disk accesses with operations made by the guest operating system associated with the memory accesses, wherein the operations made by the quest operating system associated with the disk accesses include a file read operation and wherein linking the operations made by the quest operating system associated with the disk accesses with the operations associated with the memory accesses includes examining source and destination parameters associated with the file read operation to infer that the operations concern the same data; and selectively blocking accesses by the guest operating system to memory or disk locations containing data of interest. |
| Patent References Cited: | 6445704 September 2002 Howes 7702843 April 2010 Chen et al. 2003/0191982 October 2003 Arakawa 2004/0230794 November 2004 England 2006/0004944 January 2006 Vij et al. 2006/0143350 June 2006 Miloushev 2007/0094312 April 2007 Sim-Tang 2009/0320009 December 2009 Chow et al. 2009/0327576 December 2009 Oshins 2010/0057881 March 2010 Corry 2010/0241654 September 2010 Wu 2011/0099335 April 2011 Scott 2011/0246767 October 2011 Chaturvedi 2012/0047313 February 2012 Sinha 2013/0091568 April 2013 Sharif |
| Other References: | Notification of Transmittal of the International Search Report and the Written Opinion of the International Searching Authority, or the Declaration for International Application No. PCT/US2012/036753 (Nov. 28, 2012). cited by applicant Barham, et al., “Xen and the Art of Virtualization,” Proceedings of the 19th ACM Symposium on Operating Systems Principles, pp. 164-177 (2003). cited by applicant Buchholz, et al., “On the Role of File System Metadata in Digital Forensics.” Digital Investigation 1, 4 pp. 1-15 (2004). cited by applicant Chen, et al., “Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware,” Dependable Systems and Networks pp. 1-10 (Rine 2008). cited by applicant Chen, et al., “When Virtual is Better than Real,” Proceedings of the Workshop on Hot Topics in Operating Systems pp. 133-138 (May 2001). cited by applicant Denning, et al., “Certification of Programs for Secure Information Flow,” Communications of the ACM, vol. 20, No. 7, pp. 504-513 (1977). cited by applicant Dinaburg, et al., “Ether: Malware Analysis via Hardware Virtualization Extensions,” Proceedings of the 15th ACM Conference on Computer and Communications Security pp. 51-62 (2008). cited by applicant Franklin, et al., “An inquiry into the Nature and Causes of the Wealth of Internet Miscreants,” Proceedings of the 14th ACM conference on Computer and Communications Security pp. 375-388 (2007). cited by applicant Garfinkel, et al., “A Virtual Machine Introspection Based Architecture for Intrusion Detection,” Network and Distributed Systems Security Symposium pp. 191-206 (2003). cited by applicant Garfinkel, et al., “Compatibility is not Transparency: VMM Detection Myths and Realities,” Proceedings of the 11th USENIX workshop on Hot Topics in Operating Systems pp. 1-6 (2007). cited by applicant Garfinkel, et al., “Terra: A Virtual Machine-Based Platform for Trusted Computing,” Proceedings of ACM Symposium on Operating System Principles pp. 193-206 (2003). cited by applicant Jain, et al “Application-Level isolation and Recovery with Solitude,” Proceedings of EuroSys pp. 95-107 (Apr. 2008). cited by applicant Jiang et al., “Stealthy Malware Detection through VMM-based “out-of-the-box” Semantic View Reconstruction,” Proceedings of the 14th ACM conference on Computer and Communications Security pp. 128-138 (2007). cited by applicant Krishnan et al., “Trail of Bytes: Efficient Support for Forensic Analysis,” CCS'10, pp. 1-11 (Oct. 4-8, 2010). cited by applicant Leung et al., “Measurement and Analysis of Large-scale Network File System Workloads,” USENIX Annual Technical Conference pp. 213-226 (2008). cited by applicant Litty, et al., “Hypervisor Support for identifying Covertly Executing Binaries,” Proceedings of USENIX Security Symposium pp. 243-257 (Aug. 2008). cited by applicant Muniswamy-Reddy, et al., “Provenance-aware Storage Systems,” Proceedings of the 2006 USENIX Annual Technical Conference pp. 43-56 (2006). cited by applicant Payne, et al., “Secure and Flexible Monitoring of Virtual Machines,” Annual Computer Security Applications Conference pp. 385-397 (2007). cited by applicant Quinlan, et al., “Venti: A New Approach to Archival Data Storage,” Proceedings of the USENIX Conference on File and Storage Technologies pp. 89-101 (2002). cited by applicant Shneiderman, “Response Time and Display Rate in Human Performance with Computers,” ACM Computing Surveys, vol. 16, No. 3, pp. 265-285 (1984). cited by applicant Vincenzetti, et al., “ATP—Anti Tampering Program,” Proceedings of USENIX Security pp. 79-90 (1993). cited by applicant Chen, et al., “Defeating Memory Corruption Attacks via Pointer Taintedness Detection,” IEEE International Conference on Dependable Systems and Networks DSN pp. 1-11 (2005). cited by applicant Farmer et al., Forensic Discovery, Addison-Wesley, http://www.porcupine.org/forensics/forensic-discovery/, pp. 1-150 (2006). cited by applicant F-Secure. MBR Rootkit, “A New Breed of Malware”. See http://www. f-secure.com/weblog/archives/00001393.htm, pp. 1-2 (2008). cited by applicant Goel, et al., “The Taser Intrusion Recovery System,” Proceedings of Symposium on Operating Systems Principles, pp. 1-30 (Oct. 2005). cited by applicant Goldberg, “Survey of Virtual Machine Research,” IEEE Computer Magazine, vol. 7, No. 6, pp. 34-45 (1974). cited by applicant Jay, et al., “Modeling the Effects of Delayed Haptic and Visual Feedback in a Collaborative Virtual Environment,” ACM Transactions on Computer-Human Interaction, vol. 14, No. 2, pp. 1-33 (2007). cited by applicant Jones, et al., “Antfarm: Tracking Processes in a Virtual Machine Environment,” Proceedings of the USENIX Annual Technical Conference, pp. 1-14 (2006). cited by applicant Jones, et al., “Geiger: Monitoring the Buffer Cache in a Virtual Machine Environment,” SIGPLAN Not., vol. 41, No. 11, pp. 13-23 (2006). cited by applicant Kim, et al., “The Design and Implementation of Tripwire: a File System Integrity Checker,” Proceedings of the 2'd ACM Conference on Computer and Communications Security, pp. 18-29 (1994). cited by applicant King, et al., “Backtracking Intrusions,” Proceedings of the 19th ACM Symposium, on Operating Systems Principles, pp. 1-14 (Dec. 2003). cited by applicant King, et al., “Enriching Intrusion Alerts Through Multi-host Causality,” Proceedings of Network and Distributed System Security Symposium, pp. 1-12 (2005). cited by applicant Krishnan, et al., “Time Capsule: Secure Recording of Accesses to a Protected Datastore,” Proceedings of the 2'd ACM Workshop on Virtual Machine Security, pp. 23-31 (Nov. 2009). cited by applicant Leung, et al., “Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization,” Intel Technology Journal vol. 10, Issue 03, pp. 167-178 (2006). cited by applicant Muniswamy-Reddy, et al., “Provenance for the Cloud,” Harvard School of Engineering and Applied Sciences, pp. 1-14 (2010). cited by applicant Peisert et al., “Computer Forensics in Forensis,” ACM Operating System Review vol. 42, pp. 112-122 (2008). cited by applicant Provos, et al., “The Ghost in the Browser: Analysis of Web-based Malware,” First Workshop on Hot Topics in Understanding Botnets, pp. 1-9 (2006). cited by applicant Slowinska, et al., “Pointless Tainting? Evaluating the Practicality of Pointer Tainting,” Proceedings of EuroSys, pp. 1-14 (Apr. 2009). cited by applicant White, “Cyber-Infrastructure Uses for the NIST NSRL (National Software Reference Library,” NIST-United States Department of Commerce, National Institute of Standards and Technology, slides 1-14 (2009). cited by applicant |
| Primary Examiner: | Henning, Matthew |
| Attorney, Agent or Firm: | Jenkins, Wilson, Taylor & Hunt, P.A. |
| Accession Number: | edspgr.09721089 |
| Database: | USPTO Patent Grants |
Be the first to leave a comment!