Static memory analysis has been proven a valuable technique for digital forensics. However, the memory capture technique halts the system causing the loss of important dynamic system data. As a result, live analysis techniques have emerged to complement static analysis. In this paper, a compiled memory analysis tool for virtualization (CMAT-V) is presented as a virtual machine introspection (VMI) utility to conduct live analysis during simulated cyber attacks. CMAT-V leverages static memory dump analysis techniques to provide live system state awareness. CMAT-V parses an arbitrary memory dump from a simulated guest operating system (OS) to extract user information, network usage, active process information and registry files. Unlike some VMI applications, CMAT-V bridges the semantic gap using derivation techniques. This provides increased operating system compatibility for current and future operating systems. This research demonstrates the usefulness of CMAT-V as a situational awareness tool during simulated cyber attacks and measures the overall performance of CMAT-V.
2010 Summer Computer Simulation Conference (SCSC 10)
Dustyn A. Dodge, Barry E. Mullins, Gilbert L. Peterson, and James S. Okolica. 2010. Simulating windows-based cyber attacks using live virtual machine introspection. In Proceedings of the 2010 Summer Computer Simulation Conference (SCSC '10). Society for Computer Simulation International, San Diego, CA, USA, 550–555. https://dl.acm.org/doi/10.5555/1999416.1999487