Virtual machines: the ultimate tool for computer forensics

February 16, 2005
Peter Chen | University of Michigan at Ann Arbor

The field of computer forensics seeks to help investigators reconstruct what happened during a computer intrusion. Did an attacker break in, and if so, how? What havoc did the attacker wreak after breaking in? Tools that help investigators answer these types of questions are still quite primitive and are often hindered by incomplete or incorrect information. Virtual machines can enable more-powerful forensic analysis through techniques such as replaying a computer’s instruction stream and introspecting on the state of a virtual machine. This talk describes how to provide and use virtual machine replay and introspection to enable arbitrary forensic analysis, enable reverse debugging of intrusions and bugs, and detect intrusions in the past and present through vulnerability-specific predicates.

Speaker Details

Peter Chen is an Associate Professor in the Department of Electrical Engineering and Computer Science at the University of Michigan at Ann Arbor. His research interests include operating systems, computer security, and fault-tolerant computing. His current research applies and extends virtual machine technology to computer forensics and security. He is addicted to teaching and supplements university teaching with teaching children about God at church and homeschooling his three children in math.