Cloud forensics and incident response platform
| DWPI Title: Method for performing cloud forensics and incident response, involves performing intercepting and extracting without knowledge of operating environment of virtual machine (VM) and of hypervisor |
| Abstract: A system, method, and device for cloud forensics and incident response is provided. In an embodiment, a computer-implemented method for performing cloud forensics and incident response includes intercepting, by a cloud incident response module (CIRM), communication between a virtual machine (VM) and a hypervisor. The method also includes extracting, by the CIRM, data from the communication between the VM and the hypervisor according to a forensic policy. Intercepting and extracting the data are transparent to the VM and to the hypervisor. Intercepting and extracting the data are independent of the VM and the hypervisor. |
| Use: Method for performing cloud forensics and incident response in cloud environment. |
| Advantage: The VMs run until the operation within the guest causes them to VM-exit, which then passes control to CIRM's VM-exit handler routine, provide the foundation to understand the dynamic behavior of actors within the VM, introspect without introducing artifacts into the running system, and allow full control over the guest system. The system can verify the extraction of various forensic artifacts from the system without adversely affecting the guest and without guest detection of the introspection. |
| Novelty: The method (500) involves intercepting (506) communication between a VM and a hypervisor by a cloud incident response module (CIRM). The data is extracted (508) from the communication between the VM and the hypervisor according to a forensic policy by the CIRM. The intercepting and the extracting are transparent to the VM and to the hypervisor. The intercepting and the extracting are performed without knowledge of an operating environment of the VM and of the hypervisor. The second communication between a second VM and a second hypervisor is intercepted by the CIRM. |
| Filed: 7/31/2018 |
| Application Number: US16051005A |
| Tech ID: SD 14747.0 |
| This invention was made with Government support under Contract No. DE-NA0003525 awarded by the United States Department of Energy/National Nuclear Security Administration. The Government has certain rights in the invention. |
| Data from Derwent World Patents Index, provided by Clarivate All rights reserved. Republication or redistribution of Clarivate content, including by framing or similar means, is prohibited without the prior written consent of Clarivate. Clarivate and its logo, as well as all other trademarks used herein are trademarks of their respective owners and used under license. |