{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2022,3,30]],"date-time":"2022-03-30T21:14:33Z","timestamp":1648674873199},"reference-count":56,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2013,10,16]],"date-time":"2013-10-16T00:00:00Z","timestamp":1381881600000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Int J Parallel Prog"],"published-print":{"date-parts":[[2015,6]]},"DOI":"10.1007\/s10766-013-0285-2","type":"journal-article","created":{"date-parts":[[2013,10,15]],"date-time":"2013-10-15T13:32:47Z","timestamp":1381843967000},"page":"455-471","source":"Crossref","is-referenced-by-count":8,"title":["A Virtualization Based Monitoring System for Mini-intrusive Live Forensics"],"prefix":"10.1007","volume":"43","author":[{"given":"Xianming","family":"Zhong","sequence":"first","affiliation":[]},{"given":"Chengcheng","family":"Xiang","sequence":"additional","affiliation":[]},{"given":"Miao","family":"Yu","sequence":"additional","affiliation":[]},{"given":"Zhengwei","family":"Qi","sequence":"additional","affiliation":[]},{"given":"Haibing","family":"Guan","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2013,10,16]]},"reference":[{"key":"285_CR1","unstructured":"Symantec Corporation: Norton Cybercrime Report. http:\/\/now-static.norton.com\/ (2012)"},{"key":"285_CR2","doi-asserted-by":"crossref","unstructured":"Yen, P.H., Yang, C.H., Ahn, T.N.: Design and implementation of a live-analysis digital forensic system. In: Proceedings of the: International Conference on Hybrid Information Technology, pp. 239\u2013243. ICHIT \u201909. ACM, New York, NY, USA (2009)","DOI":"10.1145\/1644993.1645038"},{"key":"285_CR3","volume-title":"File System Forensic Analysis","author":"BD Carrier","year":"2005","unstructured":"Carrier, B.D.: File System Forensic Analysis. Addison-Wesley Professional, Reading, MA (2005)"},{"key":"285_CR4","unstructured":"Guidance Software, Inc.: EnCase. http:\/\/www.guidancesoftware.com\/ (2001)"},{"key":"285_CR5","unstructured":"AccessData Group: FTK. http:\/\/www.accessdata.com\/ (2003)"},{"key":"285_CR6","unstructured":"Buchholz, F.: Pervasive Binding of Labels to System Processes. PhD thesis, Purdue University (2005)"},{"key":"285_CR7","doi-asserted-by":"crossref","first-page":"74","DOI":"10.1145\/1368506.1368517","volume":"42","author":"B Hay","year":"2008","unstructured":"Hay, B., Nance, K.: Forensics examination of volatile system data using virtual introspection. SIGOPS Oper. Syst. Rev. 42, 74\u201382 (2008)","journal-title":"SIGOPS Oper. Syst. Rev."},{"key":"285_CR8","doi-asserted-by":"crossref","unstructured":"Dolan-Gavitt, B., Srivastava, A., Traynor, P., Giffin, J.T.: Robust signatures for kernel data structures. In: Al-Shaer, E., Jha, S., Keromytis, A.D. (eds.) ACM Conference on Computer and Communications Security, pp. 566\u2013577. ACM (2009)","DOI":"10.1145\/1653662.1653730"},{"key":"285_CR9","doi-asserted-by":"crossref","unstructured":"Ando, R., Kadobayashi, Y., Shinoda, Y.: Asynchronous pseudo physical memory snapshot and forensics on paravirtualized vmm using split kernel module. In: Nam, K.H., Rhee, G., (eds.) ICISC. vol. 4817 of Lecture Notes in Computer Science, pp. 131\u2013143. Springer (2007)","DOI":"10.1007\/978-3-540-76788-6_11"},{"key":"285_CR10","doi-asserted-by":"crossref","unstructured":"Savoldi, A., Gubian, P.: Towards the virtual memory space reconstruction for windows live forensic purposes. In: IEEE Computer Society SADFE, pp. 15\u201322 (2008)","DOI":"10.1109\/SADFE.2008.21"},{"key":"285_CR11","doi-asserted-by":"crossref","first-page":"65","DOI":"10.1145\/1368506.1368516","volume":"42","author":"I Sutherland","year":"2008","unstructured":"Sutherland, I., Evans, J., Tryfonas, T., Blyth, A.: Acquiring volatile operating system data tools and techniques. SIGOPS Oper. Syst. Rev. 42, 65\u201373 (2008)","journal-title":"SIGOPS Oper. Syst. Rev."},{"key":"285_CR12","unstructured":"MoonSols: Win32dd. http:\/\/moonsols.com\/blog\/2-blog\/9-moonsols-windows-memory-toolkit (2008)"},{"key":"285_CR13","unstructured":"GMG Systems, Inc.: KnTTools. http:\/\/gmgsystemsinc.com\/knttools\/ (2005)"},{"key":"285_CR14","unstructured":"McAfee, Inc.: Fport. http:\/\/www.scanwith.com\/download\/Fport.htm (2005)"},{"key":"285_CR15","unstructured":"MANDIANT Corporation: Memoryze. http:\/\/www.mandiant.com\/products\/free_software\/memoryze\/ (2008)"},{"key":"285_CR16","doi-asserted-by":"crossref","unstructured":"Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T.L., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: Scott, M.L., Peterson, L.L. (eds.) SOSP, pp. 164\u2013177. ACM (2003)","DOI":"10.1145\/1165389.945462"},{"key":"285_CR17","unstructured":"AMD Corporation: AMD Virtualization. www.amd.com\/virtualization\/ (2005)"},{"key":"285_CR18","unstructured":"Intel Corporation: Intel Virtualization Technology. http:\/\/www.intel.com\/technology\/virtualization\/ (2005)"},{"key":"285_CR19","doi-asserted-by":"crossref","unstructured":"Krishnan, S., Snow, K.Z., Monrose, F.: Trail of bytes: efficient support for forensic analysis. In Al-Shaer, E., Keromytis, A.D., Shmatikov, V., eds.: ACM Conference on Computer and Communications Security, pp. 50\u201360. ACM (2010)","DOI":"10.1145\/1866307.1866314"},{"key":"285_CR20","doi-asserted-by":"crossref","first-page":"126","DOI":"10.1016\/j.diin.2007.06.009","volume":"4","author":"B Schatz","year":"2007","unstructured":"Schatz, B.: Bodysnatcher: Towards reliable volatile memory acquisition by software. Digit. Investig. 4, 126\u2013134 (2007)","journal-title":"Digit. Investig."},{"key":"285_CR21","doi-asserted-by":"crossref","unstructured":"Ayers, D.: A second generation computer forensic analysis system. In: Proceedings of the 9th Annual Digital Forensic Research Workshop. DFRWS (2009)","DOI":"10.1016\/j.diin.2009.06.013"},{"key":"285_CR22","doi-asserted-by":"crossref","unstructured":"Garfinkel, S.: Digital forensics research: The next 10 years. In: Proceedings of the 10th Annual Digital Forensic Research Workshop. DFRWS (2010)","DOI":"10.1016\/j.diin.2010.05.009"},{"key":"285_CR23","doi-asserted-by":"crossref","unstructured":"Wang, Z., Wu, C., Grace, M., Jiang, X.: Isolating commodity hosted hypervisors with hyperlock. In: Proceedings of the 7th ACM European Conference on Computer Systems. EuroSys \u201912, pp. 127\u2013140. New York, NY, USA, ACM (2012)","DOI":"10.1145\/2168836.2168850"},{"key":"285_CR24","doi-asserted-by":"crossref","unstructured":"Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: ACM SIGOPS Operating Systems Review, vol. 41, pp. 335\u2013350. ACM (2007)","DOI":"10.1145\/1323293.1294294"},{"key":"285_CR25","doi-asserted-by":"crossref","unstructured":"Shinagawa, T., Eiraku, H., Tanimoto, K., Omote, K., Hasegawa, S., Horie, T., Hirano, M., Kourai, K., Oyama, Y., Kawai, E., Kono, K., Chiba, S., Shinjo, Y., Kato, K.: Bitvisor: a thin hypervisor for enforcing i\/o device security. In: Proceedings of the: ACM SIGPLAN\/SIGOPS International Conference on Virtual Execution Environments, VEE \u201909, pp. 121\u2013130. ACM , New York, NY, USA (2009)","DOI":"10.1145\/1508293.1508311"},{"key":"285_CR26","unstructured":"Rutkowska, J.: Subverting Vistatm Kernel for Fun and Profit. Black Hat Briefings (2006)"},{"key":"285_CR27","unstructured":"Wojtczuk, R., Rutkowska, J.: Attacking SMM Memory via Intel CPU Cache Poisoning. Invisible Things Lab (2009)"},{"key":"285_CR28","unstructured":"Wojtczuk, R., Rutkowska, J.: Attacking Intel Trusted Execution Technology. Black Hat DC (2009)"},{"key":"285_CR29","unstructured":"Wojtczuk, R., Rutkowska, J., Tereshkin, A.: Xen 0wning Trilogy. Invisible Things Lab (2008)"},{"key":"285_CR30","unstructured":"Invisible Things Lab: NewBluePill. http:\/\/theinvisiblethings.blogspot.com\/2006\/06\/introducing-blue-pill.html (2006)"},{"key":"285_CR31","unstructured":"Intel, I.: Intel 64 and IA-32 Architectures Software Developer\u2019s Manuals. (2007)"},{"key":"285_CR32","doi-asserted-by":"crossref","unstructured":"Martignoni, L., Fattori, A., Paleari, R., Cavallaro, L.: Live and trustworthy forensic analysis of commodity production systems. In: Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection, pp. 297\u2013316. RAID\u201910 (2010)","DOI":"10.1007\/978-3-642-15512-3_16"},{"key":"285_CR33","doi-asserted-by":"crossref","unstructured":"Wang, Z.,Jiang, X.: Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In: IEEE Symposium on Security and Privacy (SP), pp. 380\u2013395. IEEE (2010)","DOI":"10.1109\/SP.2010.30"},{"key":"285_CR34","unstructured":"Trusted Computing Group: Trusted Platform Module. http:\/\/www.trustedcomputinggroup.org\/developers\/trusted_platform_module (2011)"},{"key":"285_CR35","doi-asserted-by":"crossref","unstructured":"Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Vmm-based hidden process detection and identification using lycosid. In: Proceedings of the Fourth ACM SIGPLAN\/SIGOPS International Conference on Virtual Execution Environments. VEE \u201908, pp. 91\u2013100. New York, NY, USA, ACM (2008)","DOI":"10.1145\/1346256.1346269"},{"key":"285_CR36","doi-asserted-by":"crossref","unstructured":"Yu, M., Lin, Q., Li, B., Qi, Z., Guan, H.: Vis: Virtualization enhanced live acquisition for native system. In: Proceedings of the Second Asia-Pacific Workshop on Systems, p. 13. ACM (2011)","DOI":"10.1145\/2103799.2103815"},{"key":"285_CR37","doi-asserted-by":"crossref","unstructured":"Yu, M., Qi, Z., Lin, Q., Zhong, X., Li, B., Guan, H.: Vis: Virtualization enhanced live forensics acquisition for native system. Digit. Investig. 9, 22\u201333 (2012)","DOI":"10.1016\/j.diin.2012.04.002"},{"key":"285_CR38","doi-asserted-by":"crossref","unstructured":"Zhou, Q., Yu, J., Yu, F.: A trust-based defensive system model for cloud computing. In: Altman, E., Shi, W. (eds.) Network and Parallel Computing, pp. 146\u2013159. Springer (2011)","DOI":"10.1007\/978-3-642-24403-2_12"},{"key":"285_CR39","doi-asserted-by":"crossref","unstructured":"Cheng, B.C., Liao, G.T., Lin, C.K., Hsu, S.C., Hsu, P.H., Park, J.H.: Mib-itrace-cp: An improvement of icmp-based traceback efficiency in network forensic analysis. In: Park, J.J., Zomaya, A., Yeo, S.-S., Sahni, S. (eds.) Network and Parallel Computing, pp. 101\u2013109. Springer (2012)","DOI":"10.1007\/978-3-642-35606-3_12"},{"key":"285_CR40","unstructured":"Intel, I.: Intel 82575EB Gigabit Ethernet Controller Software Developer Manual and EEPROM Guide (2011)"},{"key":"285_CR41","doi-asserted-by":"crossref","unstructured":"Murray, D., Milos, G., Hand, S.: Improving xen security through disaggregation. In: Proceedings of the Fourth ACM SIGPLAN\/SIGOPS International Conference on Virtual Execution Environments, pp. 151\u2013160 ACM (2008)","DOI":"10.1145\/1346256.1346278"},{"key":"285_CR42","unstructured":"Standard Performance Evaluation Corporation: SPEC CPU2000. http:\/\/www.spec.org\/cpu2000\/ (2000)"},{"key":"285_CR43","unstructured":"Intel Corporation: Iometer. http:\/\/www.iometer.org\/ (1998)"},{"key":"285_CR44","unstructured":"Free Development software: JPerf. http:\/\/sourceforge.net\/projects\/jperf\/ (2011)"},{"key":"285_CR45","unstructured":"The Apache Software Foundation: The Apache web server. http:\/\/www.apache.org\/ (1999)"},{"key":"285_CR46","unstructured":"P. Rubin, D.M., Kemp, S.: Gnu dd. http:\/\/www.gnu.org\/software\/coreutils\/ (2005)"},{"key":"285_CR47","unstructured":"Goyal, V., Biederman, E.W., Nellitheertha, H.: Kdump, a kexec based kernel crash dumping mechanism. In: Linux Symposium (2005)"},{"key":"285_CR48","unstructured":"Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: The Internet Society NDSS (2003)"},{"key":"285_CR49","doi-asserted-by":"crossref","unstructured":"Jiang, X., Wang, X.: out-of-the-box monitoring of vm-based high-interaction honeypots. In: Recent Advances in Intrusion Detection, pp. 198\u2013218. Springer (2007)","DOI":"10.1007\/978-3-540-74320-0_11"},{"key":"285_CR50","volume-title":"Vm Snapshots","author":"P Colp","year":"2009","unstructured":"Colp, P., Matthews, C., Aiello, B., Warfield, A.: Vm Snapshots. Xen Summit, North America (2009)"},{"key":"285_CR51","unstructured":"VMware, Inc.: VMware Workstation. http:\/\/www.vmware.com\/products\/workstation\/ (1999)"},{"key":"285_CR52","doi-asserted-by":"crossref","unstructured":"Reina, A., Fattori, A., Pagani, F., Cavallaro, L., Bruschi, D.: When hardware meets software: A bulletproof solution to forensic memory acquisition (2012)","DOI":"10.1145\/2420950.2420962"},{"key":"285_CR53","doi-asserted-by":"crossref","first-page":"50","DOI":"10.1016\/j.diin.2003.12.001","volume":"1","author":"BD Carrier","year":"2004","unstructured":"Carrier, B.D., Grand, J.: A hardware-based memory acquisition procedure for digital investigations. Digit Investig 1, 50\u201360 (2004)","journal-title":"Digit Investig"},{"key":"285_CR54","unstructured":"Boileau, A.: Hit by a bus: Physical access attacks with firewire. In: Ruxcon (2006)"},{"key":"285_CR55","unstructured":"Martin, A.: Firewire memory dump of a Windows XP computer: A forensic approach. Technical Report (2007)"},{"key":"285_CR56","unstructured":"Rutkowska, J.: Beyond the CPU: Defeating hardware based RAM acquisition. In: Proceedings of BlackHat DC 2007 (2007)"}],"container-title":["International Journal of Parallel Programming"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10766-013-0285-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s10766-013-0285-2\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10766-013-0285-2","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,7,30]],"date-time":"2019-07-30T17:36:02Z","timestamp":1564508162000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s10766-013-0285-2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2013,10,16]]},"references-count":56,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2015,6]]}},"alternative-id":["285"],"URL":"https:\/\/doi.org\/10.1007\/s10766-013-0285-2","relation":{},"ISSN":["0885-7458","1573-7640"],"issn-type":[{"value":"0885-7458","type":"print"},{"value":"1573-7640","type":"electronic"}],"subject":[],"published":{"date-parts":[[2013,10,16]]}}}