Vis: Virtualization Enhanced Live Forensics Acquisition for Native System

Live forensic is becoming one significant part in modern digital investigation. It is effective in obtaining criminal evidence which only exists in memory. Unfortunately, current efforts either fail to provide accurate acquisition of native system state at the given time point or require suspending the machine and altering the execution environment drastically. To address this issue, we propose Vis, a light-weight virtualization approach to provide accurate retrieving of native system state while preserving the execution of target system. Vis is built on two key technologies. The first one Virtual-Snapshot ensures the accuracy of the dumped system state without suspending the target system. The second one Late-Virtualization builds the required virtualization environment by encapsulating the native system into a single virtual machine after the OS finishes booting without environment impact upon the target system execution. Our experimental results indicate that Vis is capable of reliably retrieving an accurate system image. Besides, Vis accomplishes live acquisition within 97.09∼105.86 seconds, which proves Vis is practical when comparing with hours needed by previous remote live acquisition tools and even days needed in static acquisition. In average, Vis introduces only 9.62% performance overhead to the target system.