{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,30]],"date-time":"2026-01-30T00:18:27Z","timestamp":1769732307160,"version":"3.49.0"},"publisher-location":"Berlin, Heidelberg","reference-count":33,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"value":"9783642412837","type":"print"},{"value":"9783642412844","type":"electronic"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2013]]},"DOI":"10.1007\/978-3-642-41284-4_2","type":"book-chapter","created":{"date-parts":[[2013,10,22]],"date-time":"2013-10-22T13:35:11Z","timestamp":1382448911000},"page":"21-40","source":"Crossref","is-referenced-by-count":30,"title":["Hypervisor Memory Forensics"],"prefix":"10.1007","author":[{"given":"Mariano","family":"Graziano","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Andrea","family":"Lanzi","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Davide","family":"Balzarotti","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","reference":[{"key":"2_CR1","unstructured":"Amd\u2019s market share drops, \n \n http:\/\/www.cpu-wars.com\/2012\/11\/amds-market-share-drops-below-17-due-to.html"},{"key":"2_CR2","unstructured":"Documentation\/dma-mapping.txt"},{"key":"2_CR3","unstructured":"Elcomsoft forensic disk decryptor, \n \n http:\/\/www.elcomsoft.com\/edff.html"},{"key":"2_CR4","unstructured":"Inception memory acquisition tool, \n \n http:\/\/www.breaknenter.org\/projects\/inception\/"},{"key":"2_CR5","unstructured":"Nehalem architecture, \n \n http:\/\/www.intel.com\/pressroom\/archive\/reference\/whitepaper_Nehalem.pdf"},{"key":"2_CR6","unstructured":"Volatility framework: Volatile memory artifact extraction utility framework, \n \n https:\/\/www.volatilesystems.com\/default\/volatility"},{"key":"2_CR7","first-page":"35","volume-title":"Proceedings of the 2012 USENIX Conference on Annual Technical Conference, USENIX ATC 2012","author":"O. Agesen","year":"2012","unstructured":"Agesen, O., Mattson, J., Rugina, R., Sheldon, J.: Software techniques for avoiding hardware virtualization exits. In: Proceedings of the 2012 USENIX Conference on Annual Technical Conference, USENIX ATC 2012, pp. 35\u201335. USENIX Association, Berkeley (2012)"},{"key":"2_CR8","doi-asserted-by":"publisher","first-page":"114","DOI":"10.1016\/j.diin.2007.06.010","volume":"4","author":"A.R. Arasteh","year":"2007","unstructured":"Arasteh, A.R., Debbabi, M.: Forensic memory analysis: From stack and code to execution history. Digit. Investig.\u00a04, 114\u2013125 (2007)","journal-title":"Digit. Investig."},{"key":"2_CR9","first-page":"1","volume-title":"Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI 2010","author":"M. Ben-Yehuda","year":"2010","unstructured":"Ben-Yehuda, M., Day, M.D., Dubitzky, Z., Factor, M., Har\u2019El, N., Gordon, A., Liguori, A., Wasserman, O., Yassour, B.-A.: The turtles project: design and implementation of nested virtualization. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI 2010, pp. 1\u20136. USENIX Association, Berkeley (2010)"},{"key":"2_CR10","unstructured":"Betz, C.: Memparser, \n \n http:\/\/www.dfrws.org\/2005\/challenge\/memparser.shtml"},{"key":"2_CR11","first-page":"255","volume-title":"Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI 2008","author":"A. Cozzie","year":"2008","unstructured":"Cozzie, A., Stratton, F., Xue, H., King, S.T.: Digging for data structures. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI 2008, pp. 255\u2013266. USENIX Association, Berkeley (2008)"},{"issue":"1","key":"2_CR12","doi-asserted-by":"publisher","first-page":"23","DOI":"10.1007\/s11416-009-0130-8","volume":"7","author":"A. Desnos","year":"2011","unstructured":"Desnos, A., Filiol, E., Lefou, I.: Detecting (and creating!) a hvm rootkit (aka bluepill-like). Journal in Computer Virology\u00a07(1), 23\u201349 (2011)","journal-title":"Journal in Computer Virology"},{"key":"2_CR13","doi-asserted-by":"publisher","first-page":"62","DOI":"10.1016\/j.diin.2007.06.008","volume":"4","author":"B. Dolan-Gavitt","year":"2007","unstructured":"Dolan-Gavitt, B.: The vad tree: A process-eye view of physical memory. Digit. Investig.\u00a04, 62\u201364 (2007)","journal-title":"Digit. Investig."},{"key":"2_CR14","doi-asserted-by":"publisher","first-page":"566","DOI":"10.1145\/1653662.1653730","volume-title":"Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009","author":"B. Dolan-Gavitt","year":"2009","unstructured":"Dolan-Gavitt, B., Srivastava, A., Traynor, P., Giffin, J.: Robust signatures for kernel data structures. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 566\u2013577. ACM, New York (2009)"},{"key":"2_CR15","doi-asserted-by":"crossref","unstructured":"Fattori, A., Paleari, R., Martignoni, L., Monga, M.: Dynamic and transparent analysis of commodity production systems. In: Proceedings of the 25th International Conference on Automated Software Engineering (ASE), pp. 417\u2013426 (September 2010)","DOI":"10.1145\/1858996.1859085"},{"key":"2_CR16","doi-asserted-by":"publisher","first-page":"74","DOI":"10.1145\/800122.803950","volume-title":"Proceedings of the workshop on virtual computer systems","author":"R.P. Goldberg","year":"1973","unstructured":"Goldberg, R.P.: Architecture of virtual machines. In: Proceedings of the workshop on virtual computer systems, pp. 74\u2013112. ACM, New York (1973)"},{"issue":"5","key":"2_CR17","doi-asserted-by":"publisher","first-page":"91","DOI":"10.1145\/1506409.1506429","volume":"52","author":"J. Alex Halderman","year":"2009","unstructured":"Alex Halderman, J., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM\u00a052(5), 91\u201398 (2009)","journal-title":"Commun. ACM"},{"key":"2_CR18","unstructured":"Intel. Intel\u00ae 64 and IA-32 Architectures Software Developer\u2019s Manual - Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B and 3C (August 2012)"},{"key":"2_CR19","doi-asserted-by":"crossref","unstructured":"King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: Subvirt: Implementing malware with virtual machines. In: IEEE Symposium on Security and Privacy, pp. 314\u2013327 (2006)","DOI":"10.1109\/SP.2006.38"},{"key":"2_CR20","first-page":"217","volume-title":"Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011","author":"B. Liang","year":"2011","unstructured":"Liang, B., You, W., Shi, W., Liang, Z.: Detecting stealthy malware with inter-structure and imported signatures. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 217\u2013227. ACM, New York (2011)"},{"key":"2_CR21","unstructured":"Lin, Z., Rhee, J., Zhang, X., Xu, D., Jiang, X.: Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures. In: NDSS (2011)"},{"key":"2_CR22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"297","DOI":"10.1007\/978-3-642-15512-3_16","volume-title":"Recent Advances in Intrusion Detection","author":"L. Martignoni","year":"2010","unstructured":"Martignoni, L., Fattori, A., Paleari, R., Cavallaro, L.: Live and Trustworthy Forensic Analysis of Commodity Production Systems. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol.\u00a06307, pp. 297\u2013316. Springer, Heidelberg (2010)"},{"key":"2_CR23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"21","DOI":"10.1007\/978-3-642-37300-8_2","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"P. Stewin","year":"2013","unstructured":"Stewin, P., Bystrov, I.: Understanding DMA malware. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol.\u00a07591, pp. 21\u201341. Springer, Heidelberg (2013)"},{"issue":"7","key":"2_CR24","doi-asserted-by":"publisher","first-page":"412","DOI":"10.1145\/361011.361073","volume":"17","author":"G.J. Popek","year":"1974","unstructured":"Popek, G.J., Goldberg, R.P.: Formal requirements for virtualizable third generation architectures. Commun. ACM\u00a017(7), 412\u2013421 (1974)","journal-title":"Commun. ACM"},{"key":"2_CR25","doi-asserted-by":"crossref","unstructured":"Reina, A., Fattori, A., Pagani, F., Cavallaro, L., Bruschi, D.: When Hardware Meets Software: a Bulletproof Solution to Forensic Memory Acquisition. In: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC), Orlando, Florida (December 2012)","DOI":"10.1145\/2420950.2420962"},{"key":"2_CR26","unstructured":"Rutkowska, J.: Subverting Vista Kernel for Fun and Profit. Black Hat USA (August 2006)"},{"key":"2_CR27","unstructured":"Rutkowska, J.: Beyond The CPU: Defeating Hardware Based RAM acquisition. Black Hat USA (2007)"},{"key":"2_CR28","doi-asserted-by":"publisher","first-page":"335","DOI":"10.1145\/1294261.1294294","volume-title":"Proceedings of Twenty-first ACM SIGOPS Symposium on Operating Systems Principles, SOSP 2007","author":"A. Seshadri","year":"2007","unstructured":"Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: Proceedings of Twenty-first ACM SIGOPS Symposium on Operating Systems Principles, SOSP 2007, pp. 335\u2013350. ACM, New York (2007)"},{"key":"2_CR29","doi-asserted-by":"publisher","first-page":"121","DOI":"10.1145\/1508293.1508311","volume-title":"Proceedings of the 2009 ACM SIGPLAN\/SIGOPS International Conference on Virtual Execution Environments, VEE 2009","author":"T. Shinagawa","year":"2009","unstructured":"Shinagawa, T., Eiraku, H., Tanimoto, K., Omote, K., Hasegawa, S., Horie, T., Hirano, M., Kourai, K., Oyama, Y., Kawai, E., Kono, K., Chiba, S., Shinjo, Y., Kato, K.: Bitvisor: a thin hypervisor for enforcing i\/o device security. In: Proceedings of the 2009 ACM SIGPLAN\/SIGOPS International Conference on Virtual Execution Environments, VEE 2009, pp. 121\u2013130. ACM, New York (2009)"},{"key":"2_CR30","volume-title":"Virtual Machines: Versatile Platforms for Systems and Processes (The Morgan Kaufmann Series in Computer Architecture and Design)","author":"J. Smith","year":"2005","unstructured":"Smith, J., Nair, R.: Virtual Machines: Versatile Platforms for Systems and Processes (The Morgan Kaufmann Series in Computer Architecture and Design). Morgan Kaufmann Publishers Inc., San Francisco (2005)"},{"key":"2_CR31","unstructured":"Zhang, X., Dong, E.: Nested Virtualization Update from Intel. Xen Summit (2012)"},{"key":"2_CR32","unstructured":"Lin, Z., Rhee, J., Wu, C., Zhang, X., Xu, D.: Discovering semantic data of interest from un-mappable memory with confidence. In: Proceedings of the 19th Network and Distributed System Security Symposium, NDSS 2012 (2012)"},{"key":"2_CR33","unstructured":"Dai Zovi, D.A.: Hardware Virtualization Rootkits. Black Hat USA (August 2006)"}],"container-title":["Lecture Notes in Computer Science","Research in Attacks, Intrusions, and Defenses"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-642-41284-4_2","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,5,23]],"date-time":"2019-05-23T18:34:41Z","timestamp":1558636481000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-642-41284-4_2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2013]]},"ISBN":["9783642412837","9783642412844"],"references-count":33,"URL":"https:\/\/doi.org\/10.1007\/978-3-642-41284-4_2","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2013]]}}}