Asynchronous Pseudo Physical Memory Snapshot and Forensics on Paravirtualized VMM Using Split Kernel Module

VMM (virtual machine monitor) based system provides the useful inspection and interposition of guest OS. With proper modification of guest OS, we can obtain event-driven memory snapshot for malicious code forensics. In this paper we propose an asynchronous memory snapshot and forensics using split kernel module. Our split kernel module works for virtualized interruption handling, which notifies malicious fault, illegal system call and file access. On frontend, we insert virtualized interruption into source code of MAC (mandatory access control) module, fault handler and gcc-extension. Then, Backend kernel module receives the asynchronous incident notification. In experiment, we take RAM snapshot of LKM-rootkit installation using system call extension. Frequently appeared n-grams is extracted by weighted resolution in order to find memory blocks which is used by LKM-rootkit. Proposed system can detect unknown malware (malicious software) of which name is not matched by signature. Also, it is showed that we can find evidence of malware from memory snapshot by linear extraction algorithm.