Verfügbarkeit: Improving digital forensics and incident analysis in production environments by using virtual machine introspection

Improving digital forensics and incident analysis in production environments by using virtual machine introspection:

Gespeichert in:

Bibliographische Detailangaben
1. Verfasser:	Taubmann, Benjamin ca. 20./21. Jh (VerfasserIn)
Format:	Abschlussarbeit Buch
Sprache:	German
Veröffentlicht:	Passau 2019
Schlagworte:	Computerforensik Eindringerkennung Hochschulschrift
Online-Zugang:	Volltext Volltext Inhaltsverzeichnis
Beschreibung:	ix, 153 Seiten Illustrationen, Diagramme

Internformat

MARC


LEADER	00000nam a2200000 c 4500
001	BV046859094
003	DE-604
005	20200907
007	t
008	200819s2019 a\|\|\| m\|\|\| 00\|\|\| ger d
035			\|a (OCoLC)1193305230
035			\|a (DE-599)BVBBV046859094
040			\|a DE-604 \|b ger \|e rda
041	0		\|a ger
049			\|a DE-384 \|a DE-473 \|a DE-703 \|a DE-1051 \|a DE-824 \|a DE-29 \|a DE-12 \|a DE-91 \|a DE-19 \|a DE-1049 \|a DE-92 \|a DE-739 \|a DE-898 \|a DE-355 \|a DE-706 \|a DE-20 \|a DE-1102 \|a DE-860 \|a DE-2174
084			\|a ST 277 \|0 (DE-625)143643: \|2 rvk
100	1		\|a Taubmann, Benjamin \|d ca. 20./21. Jh. \|e Verfasser \|0 (DE-588)1217218173 \|4 aut
245	1	0	\|a Improving digital forensics and incident analysis in production environments by using virtual machine introspection \|c Benjamin Taubmann
264		1	\|a Passau \|c 2019
300			\|a ix, 153 Seiten \|b Illustrationen, Diagramme
336			\|b txt \|2 rdacontent
337			\|b n \|2 rdamedia
338			\|b nc \|2 rdacarrier
502			\|b Dissertation \|c Universität Passau \|d 2020
650	0	7	\|a Computerforensik \|0 (DE-588)4774034-6 \|2 gnd \|9 rswk-swf
650	0	7	\|a Eindringerkennung \|0 (DE-588)4706627-1 \|2 gnd \|9 rswk-swf
655		7	\|0 (DE-588)4113937-9 \|a Hochschulschrift \|2 gnd-content
689	0	0	\|a Computerforensik \|0 (DE-588)4774034-6 \|D s
689	0	1	\|a Eindringerkennung \|0 (DE-588)4706627-1 \|D s
689	0		\|5 DE-604
776	0	8	\|i Erscheint auch als \|n Online-Ausgabe \|o urn:nbn:de:bvb:739-opus4-8319
856	4	1	\|u https://opus4.kobv.de/opus4-uni-passau/frontdoor/index/index/docId/831 \|z kostenfrei \|3 Volltext
856	4	1	\|u https://nbn-resolving.de/urn:nbn:de:bvb:739-opus4-8319 \|x Resolving-System \|z kostenfrei \|3 Volltext
856	4	2	\|m Digitalisierung UB Passau - ADAM Catalogue Enrichment \|q application/pdf \|u http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=032267774&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA \|3 Inhaltsverzeichnis
912			\|a ebook
999			\|a oai:aleph.bib-bvb.de:BVB01-032267774

Datensatz im Suchindex

_version_	1804181698546499584
adam_text	Contents Contents 1 2 Introduction 1 1.1 1.2 1.3 1.4 2 3 6 8 ProblemStatement......................................................................................................... Main Contributions....................................................................................................... Publications................................................................................................................... Structure of this Thesis................................................................................................. Background 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 3 vii Virtualization................................................................................................................ The Xen Hypervisor....................................................................................................... Digital Forensics............................................................................................................. Memory Forensics........................................................................................................... Virtual Machine Introspection...................................................................................... LibVMI........................................................................................................................... TLS Internals................................................................................................................ Summary........................................................................................................................ An Extensible Architecture For Memory Analysis 3.1 3.2 3.3 State of the Art............................................................................................................. Requirements of VMI-based Applications.................................................................. Design Goals................................................................................................................... 3.3.1 Static Analysis ................................................................................................. 3.3.2 Dynamic Analysis.............................................................................................. 3.3.3 Network Traffic................................................................................................. 3.4 System Design................................................................................................................ 3.5 Libvmtrace..................................................................................................................... 3.5.1 System Monitor................................................................................................. 3.5.2 Network Monitor.............................................................................................. 3.5.3 Operating System Monitor ............................................................................. 3.5.4 Library and Process Monitor.......................................................................... 3.5.5 Plug-ins and Dynamic Reconfiguration............................................................ 3.5.6 Logging................................................................................................................ 3.6 Evaluation..................................................................................................................... 3.6.1 Process List Extraction ................................................................................... 3.6.2 Breakpoint Performance................................................................................... 3.6.3 Return Value .................................................................................................... 3.6.4 System Call Tracing.............................................. i*T..................................... 9 9 12 13 14 16 18 21 23 25 26 29 31 31 31 33 34 36 36 41 42 43 43 43 44 44 44 44 45 vii Contents Vlil 3.7 4 5 3.6.5 Process Monitor................................................................................................. 3.6.6 Accessing Virtual Addresses that are not Present in Physical Memory ... 3.6.7 Stealthiness....................................................................................................... 3.6.8 Network Tracing ............................................................................................... 3.6.9 Compliance with Principals of Digital Forensics ........................................... Summary........................................................................................................................ Data Acquisition 51 4.1 State of the Art............................................................................................................. 4.1.1 Main Memory Access on MobileDevices........................................................... 4.1.2 VMI in Cloud Computing Environments......................................................... 4.2 Improving Cold-boot BasedData Acquisition.............................................................. 4.2.1 System Design.................................................................................................... 4.2.2 Implementation................................................................................................. 4.2.3 Evaluation.......................................................................................................... 4.3 Towards ARM TrustZone Based Monitoring................................................................ 4.3.1 Threat Model and Assumptions......................................................................... 4.3.2 System Design.................................................................................................... 4.3.3 Implementation................................................................................................. 4.3.4 Evaluation.......................................................................................................... 4.4 Bringing VMI to Cloud Environments........................................................................ 4.4.1 Threat Model and Assumptions......................................................................... 4.4.2 System Design.................................................................................................... 4.4.3 Implementation.................................................................................................. 4.4.4 Evaluation and Discussion................................................................................ 4.5 VMI and Live Migration............................................................................................... 4.5.1 System Design.................................................................................................... 4.5.2 Implementation................................................................................................. 4.5.3 Evaluation.......................................................................................................... 4.6 Summary........................................................................................................................ 52 52 53 55 56 56 58 61 61 61 62 63 65 65 66 67 69 74 75 79 81 83 Information Retrieval 85 5.1 6 46 46 47 47 48 49 State of the Art............................................................................................................. 5.1.1 Decryption of TLS Communication.................................................................. 5.1.2 SSH Honeypots................................................................................................. 5.1.3 Stealthiness of VMI............................................................................................ 5.1.4 Information Retrieval from Memory............................................................... 5.2 TLSKex: Content-based TLS Session KeyExtraction from Virtual Machines .... 5.2.1 System Design.................................................................................................... 5.2.2 Implementation................................................................................................. 5.2.3 Evaluation.......................................................................................................... 5.3 DroidKex: Data structure-based KeyExtraction from Mobile Phones..................... 5.3.1 System Design.................................................................................................... 5.3.2 Implementation................................................................................................. 5.3.3 Evaluation and Discussion................................................................................ 5.4 VMI-based SSH Honeypot............................................................................................ 5.4.1 Threat Model and Assumptions........................................................................ 5.4.2 System Design ................................................................................................. 5.4.3 Implementation................................................................................................. 5.4.4 Evaluation.......................................................................................................... 5.5 Summary........................................................................................................................ 86 86 88 88 89 91 91 93 96 99 99 102 106 110 110 Ill Ill 113 116 VMI in SIEM Systems 119 6.1 120 State of the Art............................................................................................................ Contents____________________________________________________________________________ ix 6.2 6.3 6.4 6.5 6.6 Threat Model and Assumptions...................................................................................... System Design.................................................................................................................... Implementation................................................................................................................. Evaluation.......................................................................................................................... Summary............................................................................................................................. 7 Conclusions 7.1 7.2 Contributions .................................................................................................................... Future Work....................................................................................................................... 121 121 124 127 128 129 129 131 List of Abbreviations 133 List of Figures 135 List of Tables 137 List of Listings 139 Bibliography 141
adam_txt	Contents Contents 1 2 Introduction 1 1.1 1.2 1.3 1.4 2 3 6 8 ProblemStatement. Main Contributions. Publications. Structure of this Thesis. Background 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 3 vii Virtualization. The Xen Hypervisor. Digital Forensics. Memory Forensics. Virtual Machine Introspection. LibVMI. TLS Internals. Summary. An Extensible Architecture For Memory Analysis 3.1 3.2 3.3 State of the Art. Requirements of VMI-based Applications. Design Goals. 3.3.1 Static Analysis . 3.3.2 Dynamic Analysis. 3.3.3 Network Traffic. 3.4 System Design. 3.5 Libvmtrace. 3.5.1 System Monitor. 3.5.2 Network Monitor. 3.5.3 Operating System Monitor . 3.5.4 Library and Process Monitor. 3.5.5 Plug-ins and Dynamic Reconfiguration. 3.5.6 Logging. 3.6 Evaluation. 3.6.1 Process List Extraction . 3.6.2 Breakpoint Performance. 3.6.3 Return Value . 3.6.4 System Call Tracing. i*T. 9 9 12 13 14 16 18 21 23 25 26 29 31 31 31 33 34 36 36 41 42 43 43 43 44 44 44 44 45 vii Contents Vlil 3.7 4 5 3.6.5 Process Monitor. 3.6.6 Accessing Virtual Addresses that are not Present in Physical Memory . 3.6.7 Stealthiness. 3.6.8 Network Tracing . 3.6.9 Compliance with Principals of Digital Forensics . Summary. Data Acquisition 51 4.1 State of the Art. 4.1.1 Main Memory Access on MobileDevices. 4.1.2 VMI in Cloud Computing Environments. 4.2 Improving Cold-boot BasedData Acquisition. 4.2.1 System Design. 4.2.2 Implementation. 4.2.3 Evaluation. 4.3 Towards ARM TrustZone Based Monitoring. 4.3.1 Threat Model and Assumptions. 4.3.2 System Design. 4.3.3 Implementation. 4.3.4 Evaluation. 4.4 Bringing VMI to Cloud Environments. 4.4.1 Threat Model and Assumptions. 4.4.2 System Design. 4.4.3 Implementation. 4.4.4 Evaluation and Discussion. 4.5 VMI and Live Migration. 4.5.1 System Design. 4.5.2 Implementation. 4.5.3 Evaluation. 4.6 Summary. 52 52 53 55 56 56 58 61 61 61 62 63 65 65 66 67 69 74 75 79 81 83 Information Retrieval 85 5.1 6 46 46 47 47 48 49 State of the Art. 5.1.1 Decryption of TLS Communication. 5.1.2 SSH Honeypots. 5.1.3 Stealthiness of VMI. 5.1.4 Information Retrieval from Memory. 5.2 TLSKex: Content-based TLS Session KeyExtraction from Virtual Machines . 5.2.1 System Design. 5.2.2 Implementation. 5.2.3 Evaluation. 5.3 DroidKex: Data structure-based KeyExtraction from Mobile Phones. 5.3.1 System Design. 5.3.2 Implementation. 5.3.3 Evaluation and Discussion. 5.4 VMI-based SSH Honeypot. 5.4.1 Threat Model and Assumptions. 5.4.2 System Design . 5.4.3 Implementation. 5.4.4 Evaluation. 5.5 Summary. 86 86 88 88 89 91 91 93 96 99 99 102 106 110 110 Ill Ill 113 116 VMI in SIEM Systems 119 6.1 120 State of the Art. Contents_ ix 6.2 6.3 6.4 6.5 6.6 Threat Model and Assumptions. System Design. Implementation. Evaluation. Summary. 7 Conclusions 7.1 7.2 Contributions . Future Work. 121 121 124 127 128 129 129 131 List of Abbreviations 133 List of Figures 135 List of Tables 137 List of Listings 139 Bibliography 141
any_adam_object	1
any_adam_object_boolean	1
author	Taubmann, Benjamin ca. 20./21. Jh
author_GND	(DE-588)1217218173
author_facet	Taubmann, Benjamin ca. 20./21. Jh
author_role	aut
author_sort	Taubmann, Benjamin ca. 20./21. Jh
author_variant	b t bt
building	Verbundindex
bvnumber	BV046859094
classification_rvk	ST 277
collection	ebook
ctrlnum	(OCoLC)1193305230 (DE-599)BVBBV046859094
discipline	Informatik
discipline_str_mv	Informatik
format	Thesis Book
fullrecord	<?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01965nam a2200397 c 4500</leader><controlfield tag="001">BV046859094</controlfield><controlfield tag="003">DE-604</controlfield><controlfield tag="005">20200907 </controlfield><controlfield tag="007">t</controlfield><controlfield tag="008">200819s2019 a\|\|\| m\|\|\| 00\|\|\| ger d</controlfield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)1193305230</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)BVBBV046859094</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-604</subfield><subfield code="b">ger</subfield><subfield code="e">rda</subfield></datafield><datafield tag="041" ind1="0" ind2=" "><subfield code="a">ger</subfield></datafield><datafield tag="049" ind1=" " ind2=" "><subfield code="a">DE-384</subfield><subfield code="a">DE-473</subfield><subfield code="a">DE-703</subfield><subfield code="a">DE-1051</subfield><subfield code="a">DE-824</subfield><subfield code="a">DE-29</subfield><subfield code="a">DE-12</subfield><subfield code="a">DE-91</subfield><subfield code="a">DE-19</subfield><subfield code="a">DE-1049</subfield><subfield code="a">DE-92</subfield><subfield code="a">DE-739</subfield><subfield code="a">DE-898</subfield><subfield code="a">DE-355</subfield><subfield code="a">DE-706</subfield><subfield code="a">DE-20</subfield><subfield code="a">DE-1102</subfield><subfield code="a">DE-860</subfield><subfield code="a">DE-2174</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 277</subfield><subfield code="0">(DE-625)143643:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Taubmann, Benjamin</subfield><subfield code="d">ca. 20./21. Jh.</subfield><subfield code="e">Verfasser</subfield><subfield code="0">(DE-588)1217218173</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">Improving digital forensics and incident analysis in production environments by using virtual machine introspection</subfield><subfield code="c">Benjamin Taubmann</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="a">Passau</subfield><subfield code="c">2019</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">ix, 153 Seiten</subfield><subfield code="b">Illustrationen, Diagramme</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="502" ind1=" " ind2=" "><subfield code="b">Dissertation</subfield><subfield code="c">Universität Passau</subfield><subfield code="d">2020</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Computerforensik</subfield><subfield code="0">(DE-588)4774034-6</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Eindringerkennung</subfield><subfield code="0">(DE-588)4706627-1</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="655" ind1=" " ind2="7"><subfield code="0">(DE-588)4113937-9</subfield><subfield code="a">Hochschulschrift</subfield><subfield code="2">gnd-content</subfield></datafield><datafield tag="689" ind1="0" ind2="0"><subfield code="a">Computerforensik</subfield><subfield code="0">(DE-588)4774034-6</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2="1"><subfield code="a">Eindringerkennung</subfield><subfield code="0">(DE-588)4706627-1</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2=" "><subfield code="5">DE-604</subfield></datafield><datafield tag="776" ind1="0" ind2="8"><subfield code="i">Erscheint auch als</subfield><subfield code="n">Online-Ausgabe</subfield><subfield code="o">urn:nbn:de:bvb:739-opus4-8319</subfield></datafield><datafield tag="856" ind1="4" ind2="1"><subfield code="u">https://opus4.kobv.de/opus4-uni-passau/frontdoor/index/index/docId/831</subfield><subfield code="z">kostenfrei</subfield><subfield code="3">Volltext</subfield></datafield><datafield tag="856" ind1="4" ind2="1"><subfield code="u">https://nbn-resolving.de/urn:nbn:de:bvb:739-opus4-8319</subfield><subfield code="x">Resolving-System</subfield><subfield code="z">kostenfrei</subfield><subfield code="3">Volltext</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="m">Digitalisierung UB Passau - ADAM Catalogue Enrichment</subfield><subfield code="q">application/pdf</subfield><subfield code="u">http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=032267774&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA</subfield><subfield code="3">Inhaltsverzeichnis</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">ebook</subfield></datafield><datafield tag="999" ind1=" " ind2=" "><subfield code="a">oai:aleph.bib-bvb.de:BVB01-032267774</subfield></datafield></record></collection>
genre	(DE-588)4113937-9 Hochschulschrift gnd-content
genre_facet	Hochschulschrift
id	DE-604.BV046859094
illustrated	Illustrated
index_date	2024-07-03T15:12:22Z
indexdate	2024-07-10T08:55:47Z
institution	BVB
language	German
oai_aleph_id	oai:aleph.bib-bvb.de:BVB01-032267774
oclc_num	1193305230
open_access_boolean	1
owner	DE-384 DE-473 DE-BY-UBG DE-703 DE-1051 DE-824 DE-29 DE-12 DE-91 DE-BY-TUM DE-19 DE-BY-UBM DE-1049 DE-92 DE-739 DE-898 DE-BY-UBR DE-355 DE-BY-UBR DE-706 DE-20 DE-1102 DE-860 DE-2174
owner_facet	DE-384 DE-473 DE-BY-UBG DE-703 DE-1051 DE-824 DE-29 DE-12 DE-91 DE-BY-TUM DE-19 DE-BY-UBM DE-1049 DE-92 DE-739 DE-898 DE-BY-UBR DE-355 DE-BY-UBR DE-706 DE-20 DE-1102 DE-860 DE-2174
physical	ix, 153 Seiten Illustrationen, Diagramme
psigel	ebook
publishDate	2019
publishDateSearch	2019
publishDateSort	2019
record_format	marc
spelling	Taubmann, Benjamin ca. 20./21. Jh. Verfasser (DE-588)1217218173 aut Improving digital forensics and incident analysis in production environments by using virtual machine introspection Benjamin Taubmann Passau 2019 ix, 153 Seiten Illustrationen, Diagramme txt rdacontent n rdamedia nc rdacarrier Dissertation Universität Passau 2020 Computerforensik (DE-588)4774034-6 gnd rswk-swf Eindringerkennung (DE-588)4706627-1 gnd rswk-swf (DE-588)4113937-9 Hochschulschrift gnd-content Computerforensik (DE-588)4774034-6 s Eindringerkennung (DE-588)4706627-1 s DE-604 Erscheint auch als Online-Ausgabe urn:nbn:de:bvb:739-opus4-8319 https://opus4.kobv.de/opus4-uni-passau/frontdoor/index/index/docId/831 kostenfrei Volltext https://nbn-resolving.de/urn:nbn:de:bvb:739-opus4-8319 Resolving-System kostenfrei Volltext Digitalisierung UB Passau - ADAM Catalogue Enrichment application/pdf http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=032267774&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA Inhaltsverzeichnis
spellingShingle	Taubmann, Benjamin ca. 20./21. Jh Improving digital forensics and incident analysis in production environments by using virtual machine introspection Computerforensik (DE-588)4774034-6 gnd Eindringerkennung (DE-588)4706627-1 gnd
subject_GND	(DE-588)4774034-6 (DE-588)4706627-1 (DE-588)4113937-9
title	Improving digital forensics and incident analysis in production environments by using virtual machine introspection
title_auth	Improving digital forensics and incident analysis in production environments by using virtual machine introspection
title_exact_search	Improving digital forensics and incident analysis in production environments by using virtual machine introspection
title_exact_search_txtP	Improving digital forensics and incident analysis in production environments by using virtual machine introspection
title_full	Improving digital forensics and incident analysis in production environments by using virtual machine introspection Benjamin Taubmann
title_fullStr	Improving digital forensics and incident analysis in production environments by using virtual machine introspection Benjamin Taubmann
title_full_unstemmed	Improving digital forensics and incident analysis in production environments by using virtual machine introspection Benjamin Taubmann
title_short	Improving digital forensics and incident analysis in production environments by using virtual machine introspection
title_sort	improving digital forensics and incident analysis in production environments by using virtual machine introspection
topic	Computerforensik (DE-588)4774034-6 gnd Eindringerkennung (DE-588)4706627-1 gnd
topic_facet	Computerforensik Eindringerkennung Hochschulschrift
url	https://opus4.kobv.de/opus4-uni-passau/frontdoor/index/index/docId/831 https://nbn-resolving.de/urn:nbn:de:bvb:739-opus4-8319 http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=032267774&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA
work_keys_str_mv	AT taubmannbenjamin improvingdigitalforensicsandincidentanalysisinproductionenvironmentsbyusingvirtualmachineintrospection

Verfügbarkeit

Es ist kein Print-Exemplar vorhanden.

Fernleihe Bestellen Achtung: Nicht im THWS-Bestand! Volltext öffnen

MARC

Datensatz im Suchindex

Es ist kein Print-Exemplar vorhanden.

Ähnliche Einträge