 |  |  |
| | | |
Cloud Hypervisor Forensics and Incident Response Platform (CHIRP)
More than $1 trillion in IT spending will be affected by the shift to the Cloud during the next five years. This shift to Infrastructure-as-a-Service (IaaS) platforms has brought challenges to cyber Incident Response (IR) and forensic teams investigating not only breaches and leaks, but also cyber-crime, due to the ephemerality, location and ownership of the data, disks, and technology provided by Cloud Service Providers (CSP). Our Cloud Forensics Platform introduces a novel approach using Virtual Machine Introspection (VMI) to provide intelligence and forensic artifacts from active VMs in cloud systems. Each IaaS leverages a VM Monitor, or hypervisor, to service VMs in the Cloud. Most hypervisors do not expose a useful Application Programming Interface (API) to support customizable, contextual introspection, which is what an analyst needs to conduct an investigation. We have developed scalable VM instrumentation and introspection at an in-depth level that allows fast handling of events, as well as direct access to VM state (or memory), in a safe, stable fashion.
