Description:Field of the Invention

Generally, the present disclosure relates to systems for forensic data acquisition. Particularly, the present disclosure relates to a system for forensic data acquisition through virtual machine introspection (VMI).

Background
The background description includes information that may be useful in understanding the present invention. It is not an admission that any of the information provided herein is prior art or relevant to the presently claimed invention, or that any publication specifically or implicitly referenced is prior art.
Forensic data acquisition is an important component in the analysis of digital evidence, particularly in the context of cybersecurity and digital forensics. The ability to accurately capture and analyze data from computing devices is utilized for identifying unauthorized access attempts and understanding the actions of attackers. Traditional forensic data acquisition methods often comprise direct physical access to the digital device, which can result in the alteration of the state of device, compromising the integrity of the evidence. Furthermore, traditional forensic data acquisition methods may not be effective in environments where systems are virtualized.
Virtualization techniques have become prevalent in modern computing environments, enabling the creation of virtual machines (VMs) which run concurrently on a single physical hardware platform. The use of virtual environments introduces complexities in forensic data acquisition because data is not stored directly on physical hardware but within a virtual layer managed by a hypervisor. Existing approaches to forensic analysis in virtualized environments typically rely on techniques which require stopping the target VM to create a snapshot or copying VM disk files. However, techniques which require stopping the target VM to create a snapshot or copying VM disk files can disrupt the continuity of system operations and may not capture transient states or ongoing network activities effectively.
The interruption of system operations and alteration of system state during data acquisition poses significant challenges such as the risk of evidence tampering, whether inadvertent or malicious, and the inability to capture data like- active network connections or the contents of volatile memory. Moreover, the complexity of accurately capturing the state of a VM, together with both persistent and volatile data, without affecting the operation of the virtual environment, remains a significant obstacle. Additionally, traditional methods often lack the capability to provide a view of the network activity from within the virtual environment, making difficult to trace unauthorized access attempts effectively.
In light of the above discussion, there exists an urgent need for solutions which overcome the problems associated with conventional systems and techniques for forensic data acquisition in virtualized environments.
All publications herein are incorporated by reference to the same extent as if each individual publication or patent application were specifically and individually indicated to be incorporated by reference. Where a definition or use of a term in an incorporated reference is inconsistent or contrary to the definition of that term provided herein, the definition of that term provided herein applies and the definition of that term in the reference does not apply.
In some embodiments, the numbers expressing quantities of ingredients, properties such as concentration, reaction conditions, and so forth, used to describe and claim certain embodiments of the invention are to be understood as being modified in some instances by the term “about.” Accordingly, in some embodiments, the numerical parameters set forth in the written description and attached claims are approximations that can vary depending upon the desired properties sought to be obtained by a particular embodiment. In some embodiments, the numerical parameters should be construed in light of the number of reported significant digits and by applying ordinary rounding techniques. Notwithstanding that the numerical ranges and parameters setting forth the broad scope of some embodiments of the invention are approximations, the numerical values set forth in the specific examples are reported as precisely as practicable. The numerical values presented in some embodiments of the invention may contain certain errors necessarily resulting from the standard deviation found in their respective testing measurements.
As used in the description herein and throughout the claims that follow, the meaning of “a,” “an,” and “the” includes plura reference unless the context clearly dictates otherwise. Also, as used in the description herein, the meaning of “in” includes “in” and “on” unless the context clearly dictates otherwise.
The recitation of ranges of values herein is merely intended to serve as a shorthand method of referring individually to each separate value falling within the range. Unless otherwise indicated herein, each individual value is incorporated into the specification as if it were individually recited herein. All methods described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The use of any and all examples, or exemplary language (e.g. “such as”) provided with respect to certain embodiments herein is intended merely to better illuminate the invention and does not pose a limitation on the scope of the invention otherwise claimed. No language in the specification should be construed as indicating any non-claimed element essential to the practice of the invention.
Groupings of alternative elements or embodiments of the invention disclosed herein are not to be construed as limitations. Each group member can be referred to and claimed individually or in any combination with other members of the group or other elements found herein. One or more members of a group can be included in, or deleted from, a group for reasons of convenience and/or patentability. When any such inclusion or deletion occurs, the specification is herein deemed to contain the group as modified thus fulfilling the written description of all Markush groups used in the appended claims.

Summary

In an aspect, the present disclosure aims to provide a system for forensic data acquisition through virtual machine introspection. The system comprises a first computing device including a virtual environment which contains a target virtual machine. The virtual environment is capable of facilitating access to and analysis of data at a hypervisor layer without altering the current state of the target virtual machine to identify unauthorized access attempts. An inspection device is operatively coupled to the virtual environment, which receives a set of data processing input from a forensic data collector. The inspection device captures a memory state snapshot of the target virtual machine via the hypervisor without evidence tampering, retrieves a plurality of disk images from the target virtual machine to preserve a complete state for offline analysis, and provides visibility into network activity of the target virtual machine by tracking and documenting the network traffics within the virtual environment to generate a network activity log. A storage unit is operatively connected to the inspection device and the virtual environment, arranged to store the captured memory state snapshot, the retrieved disk images, and the generated network activity log indicative of memory, disk, and network activities of the target virtual machine.
Furthermore, the inspection device comprises a processing module to detect deviations from preset behavior patterns within the virtualized environment by analyzing the captured memory state snapshot, the retrieved disk images, and the generated network activity log. Upon detecting deviations, such as malware infections, insider threats, and unauthorized access attempts, the processing module transmits an alert notification to the inspection device. The processing module utilizes machine learning techniques for detecting deviations. Additionally, the system comprises an interface for integrating the inspection device with one or more external digital forensic platforms, enabling complex analyses and the generation of extensive forensic reports through correlation with other forensic artifacts. The virtual environment is integrated with the inspection device through application programming interfaces provided by the hypervisor, which is selected from VMware, Xen, or KVM, and facilitates access and analysis of low-level virtual machine states. The inspection device also employs one or more memory forensics techniques to retrieve volatile data from the target virtual machine.
Various objects, features, aspects and advantages of the inventive subject matter will become more apparent from the following detailed description of preferred embodiments, along with the accompanying drawing figures in which like numerals represent like components.

Brief Description of the Drawings

The summary above, as well as the following detailed description of illustrative embodiments, is better understood when read in conjunction with the appended drawings. For the purpose of illustrating the present disclosure, exemplary constructions of the disclosure are shown in the drawings. However, the present disclosure is not limited to specific methods and instrumentalities disclosed herein. Moreover, those in the art will understand that the drawings are not to scale. Wherever possible, like elements have been indicated by identical numbers.
Embodiments of the present disclosure will now be described, by way of example only, with reference to the following diagrams wherein:
FIG. 1 illustrates, block diagram of a system (100) for forensic data acquisition through virtual machine introspection (VMI), in accordance with the embodiments of the present disclosure.
FIG. 2 illustrates, a method for forensic data acquisition through VMI, in accordance with the embodiments of the present disclosure.
FIG. 3 illustrates, the architecture of a VMI based Forensic data acquisition system, in accordance with the embodiments of the present disclosure.
In the accompanying drawings, a number in parentheses is employed to represent an item over which the number in parentheses is positioned or an item to which the number in parentheses is adjacent. A number not in parentheses relates to an item identified by a line linking the number not in parentheses to the item. When a number is not in parentheses and accompanied by an associated arrow, the number not in parentheses is used to identify a general item at which the arrow is pointing.

Detailed Description

The following detailed description illustrates embodiments of the present disclosure and ways in which they can be implemented. Although some modes of carrying out the present disclosure have been disclosed, those skilled in the art would recognise that other embodiments for carrying out or practising the present disclosure are also possible.
The description set forth below in connection with the appended drawings is intended as a description of certain embodiments of a motor of an electric vehicle and is not intended to represent the only forms that may be developed or utilised. The description sets forth the various structures and/or functions in connection with the illustrated embodiments; however, it is to be understood that the disclosed embodiments are merely exemplary of the disclosure that may be embodied in various and alternative forms. The figures are not necessarily to scale; some features may be exaggerated or minimised to show details of particular components. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a representative basis for teaching one skilled in the art to variously employ the present invention.
While the disclosure is susceptible to various modifications and alternative forms, specific embodiment thereof has been shown by way of example in the drawings and will be described in detail below. It should be understood, however, that it is not intended to limit the disclosure to the particular forms disclosed, but on the contrary, the disclosure is to cover all modifications, equivalents, and alternatives falling within the scope of the disclosure.
The terms “comprise”, “comprises”, “comprising”, “include(s)”, or any other variations thereof, are intended to cover a non-exclusive inclusion, such that a setup, system that comprises a list of components or steps does not include only those components or steps but may include other components or steps not expressly listed or inherent to such setup or system. In other words, one or more elements in a system or apparatus preceded by “comprises... a” does not, without more constraints, preclude the existence of other elements or additional elements in the system or apparatus.
In the following detailed description of the embodiments of the disclosure, reference is made to the accompanying drawings and which are shown by way of illustration specific embodiments in which the disclosure may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the disclosure, and it is to be understood that other embodiments may be utilized and that changes may be made without departing from the scope of the present disclosure. The following description is, therefore, not to be taken in a limiting sense.
The present disclosure will be described herein below with reference to the accompanying drawings. In the following description, well known functions or constructions are not described in detail since they would obscure the description with unnecessary detail.
The system for forensic data acquisition through virtual machine introspection (VMI) is considered to offer a solution for accessing and analyzing data within a virtual environment. The system provides the integrity and security of data during forensic investigations, specifically targeting unauthorized access attempts.
The term "first computing device" as used throughout the present disclosure relates to a hardware component which houses a virtual environment. The virtual environment encompasses a target virtual machine (VM) and is specifically considered to facilitate access to and analysis of data at a hypervisor layer without altering the current state of the target VM. The purpose of maintaining the unaltered state of the target VM is to identify unauthorized access attempts, providing evidence which remains untampered during the process.
The term "inspection device" as used throughout the present disclosure refers to a hardware or software tool which is operatively coupled to the virtual environment. The function of the inspection device is to receive a set of data processing input from a forensic data collector. The inspection device comprises capturing a memory state snapshot of the target VM via the hypervisor without evidence tampering, retrieving a plurality of disk images from the target VM to preserve a complete state for an offline analysis, and providing visibility into the network activity of the target VM. The inspection device achieves all said function by tracking and documenting the network traffics within the virtual environment and generating a network activity log, thus facilitating a forensic analysis.
The term "storage unit" as used throughout the present disclosure denotes a component considered to store data securely. The storage unit is operatively connected to both the inspection device and the virtual environment. The responsibilities of storage unit comprise storing the captured memory state snapshot and the retrieved disk images by the inspection device. Additionally, the storage unit stores the generated network activity log, which is indicative of memory, disk, and network activities of the target VM. The storage unit provides all important data which captured during the forensic investigation is preserved for thorough analysis and future reference.
FIG. 1 illustrates, block diagram of a system (100) for forensic data acquisition through VMI, in accordance with the embodiments of the present disclosure. A system (100) comprises a first computing device (102) which comprises a virtual environment housing a target VM. The virtual environment is pivotal for the non-intrusive access and analysis of data at a hypervisor layer, enabling the identification of unauthorized access attempts without compromising the integrity of the target VM. An inspection device (104) is operatively coupled to the virtual environment, equipped to process a set of data inputs from a forensic data collector. The inspection device (104) enables the capture of a memory state snapshot of the target VM via the hypervisor, providing no evidence tampering occurs. Furthermore, the inspection device (104) retrieves a plurality of disk images from the target VM to maintain a complete state for offline analysis. The inspection device (104) also improves the visibility of the network activity of the target VM by tracking and documenting network traffics within the virtual environment, culminating in the generation of a network activity log. Additionally, a storage unit (106) is operatively connected to both the inspection device (104) and the virtual environment. Its primary role is to store the captured memory state snapshot, the retrieved disk images, and the network activity log produced by the inspection device (104).
In an embodiment, the inspection device (104) comprises a processing module to detect deviations from the preset behavior patterns within the virtualized environment by analyzing the captured memory state snapshot, the retrieved disk images, and the generated network activity log. The inclusion of a processing module within the inspection device (104) improves capability of the system (100) to identify and analyze anomalies or deviations from established behavior patterns. By utilizing the data collected, including memory state snapshots, disk images, and network activity logs, the processing module systematically detects security threats such as malware infections, insider threats, and unauthorized access attempts.
In another embodiment, upon detecting deviations, the processing module transmits an alert notification to the inspection device (104). The detected deviations which trigger said alert notifications are selected from malware infections, insider threats, and unauthorized access attempts. The alert notification feature enables timely and effective response mechanisms to security incidents within the virtualized environment. By specifying the types of deviations which lead to alert generation, such as malware infections, insider threats, and unauthorized access attempts, the system (100) provides a focused approach to threat detection and management.
In a further embodiment, the processing module utilizes a machine learning technique for detecting the deviations. The adoption of machine learning techniques by the processing module signifies a significant improvement in ability of the system (100) to identify deviations from preset behavior patterns. Machine learning technique improves the accuracy and efficiency of anomaly detection by learning from historical data and improving over time. Machine learning technique enables the system (100) to adapt to evolving threat landscapes and detect cyber threats with higher accuracy.
In another embodiment, the system (100) further comprises an interface for integrating the inspection device (104) with one or more external digital forensic platforms. The incorporation of an interface serves as a bridge which significantly broadens capabilities of the system (100) in forensic analysis. Through the interface for integration, the inspection device (104) can seamlessly interact with external platforms, enabling a fluid exchange of forensic data and insights.
The ability to interface with multiple external digital forensic platforms introduces a layer of versatility and depth to the forensic investigation process. The interface for integration allows for the forensic data collected by the inspection device (104) to be improved, enriched, and corroborated with data from external sources. The incorporation of data sources by the interface for integration facilitates a multifaceted analysis approach, allowing investigators to draw connections and identify patterns which might not be evident when data sources are considered in isolation.
Moreover, the integration interface aids in the generation of extensive forensic reports by the combined analytical power of the system (100) and external platforms. Extensive forensic reports are instrumental in providing a detailed narrative of security incidents, supported by data from a diverse array of sources. The nature of extensive forensic reports checks which investigators have a thorough understanding of the incidents, which is essential for devising effective response strategies.
Ultimately, the inclusion of an interface for integration with external digital forensic platforms substantially improves utility of the system (100) in forensic investigations. The interface for integration enables a level of analysis and reporting which is important for addressing complex security incidents, thereby significantly improving effectiveness of the system (100) in identifying, analyzing, and responding to threats within a virtualized environment.
In an embodiment, the interface enables complex analyses and the generation of extensive forensic reports through correlation with other forensic artifacts. By capability of the interface to facilitate complex analyses and report generation, utility of the system (100) in forensic investigations is significantly improved. By enabling the integration of the inspection device (104) with external digital forensic platforms, the system (100) allows for a broader analysis scope, incorporating various forensic artifacts and aids in uncovering intricate details about security incidents, providing valuable insights for thorough investigations and informed decision-making.
In another embodiment, the integration of the virtual environment with the inspection device (104) via hypervisor-provided application programming interfaces (APIs) marks a significant improvement in the domain of forensic data acquisition. The utilization of the APIs as conduits for communication, bridges the gap between the virtual environment and the inspection device, enabling a seamless flow of data for analysis. The said integration is vital for accessing and examining data layers at the hypervisor level without disrupting the operational state or security of the target VM. The strategic use of APIs provides the process of forensic data collection which is both efficient and non-intrusive, preserving the authenticity and integrity of the data being analyzed. By maintaining the current state of target VM untouched, the system (100) checks whether forensic investigations can proceed without any risk of data alteration or tampering. APIs approach upholds the sanctity of the forensic examination and assurances the findings which are reliable and actionable.
In a further embodiment, the hypervisor is selected from VMware, Xen, or KVM, and wherein the APIs facilitate access and analysis of low-level virtual machine states. The inclusion of selected specific hypervisors demonstrates broad compatibility of the system (100) and capacity to seamlessly integrate with established virtualization platforms. By the APIs provided by selected hypervisors, the system (100) gains the ability to delve into the low-level states of VMs. The granular access is vital for a thorough examination of the VM operations within the virtualized environment.
The ability to access and analyze low-level VM states through the hypervisor APIs significantly amplifies capabilities of the system (100) in forensic data acquisition. APIs access and analysis of low-level opens up avenues for detecting subtle anomalies and indicators of compromise, such as unauthorized access attempts and other security threats which may not be visible at higher levels of abstraction. APIs deep-level scrutiny allows for an understanding of the security posture of the virtualized environment, providing forensic analyses which are both accurate and exhaustive.
In another embodiment, the inspection device (100) further employs one or more memory forensics techniques to retrieve volatile data from the target VM. The use of memory forensics techniques by the inspection device (104) underscores approach of the system (100) to forensic data acquisition. Retrieving volatile data from the target VM provides vital information which may not be preserved through standard data capture methods. Retrieving volatile data comprises data present in memory of the system (100) at the time of the forensic analysis, offering insights into state of the system (100) and activities prior to the investigation.
FIG. 2 illustrates, a method for forensic data acquisition through VMI is outlined, relating a series of steps aimed at providing the integrity and forensic investigations within virtualized environments. The method commences with initiating access to a target VM within a virtual environment from a first computing device (102). The step (202) is vital for establishing a baseline for forensic analysis, wherein the virtual environment comprises a hypervisor layer, pivotal for the subsequent forensic data acquisition process. The method further involves step (204) facilitating analysis of data at the hypervisor layer via the virtual environment without altering the current state of the target VM. The step (204) enables identification of unauthorized access attempts while maintaining the integrity of the forensic investigation. By providing current state of the target VM which remains unaltered, the step (204) preserves the authenticity of the data and prevents tampering, thereby improving the reliability of the forensic analysis.
Receiving a set of data processing input from a forensic data collector at an inspection device operatively coupled to the virtual environment constitutes another important step (206). The step (206) process enables the inspection device to gather data for forensic analysis, together with memory state snapshots, disk images, and network activity logs. The data collection facilitated by the step (206) is foundational for a detailed and accurate forensic investigation. In step (208) capturing a memory state snapshot of the target VM via the hypervisor by the inspection device (104) without evidence tampering further exemplifies the assurance of method to data integrity. The step (208) provides captured memory state which reflects the actual condition of the target VM at the time of the investigation, free from any alterations which could compromise the forensic analysis.
In next step (210) retrieving a plurality of disk images from the target VM by the inspection device to preserve a complete state for an offline analysis highlights thoroughness of the method. The step (210) provides a dataset which is available for detailed forensic examination, enabling investigators to reconstruct the state of the target VM and analyze security breaches. Tracking and documenting network traffic within the virtual environment by the inspection device (104) to provide visibility into network activity of the target VM is another step (212). Step (212) enables the identification of anomalous network behaviors which may indicate security incidents, enriching the forensic analysis with valuable insights into the network operations of the target VM.
At Step (214), generating a network activity log based on the tracked network traffic by the inspection device (104) is vital for documenting and analyzing network-related forensic data. The step (214) provides detailed records of network activities which are available for forensic examination, aiding in the detection and analysis of network-based threats and anomalies. In step (216), storing the captured memory state snapshot and the retrieved disk images in a storage unit (106) operatively connected to the inspection device (104) and the virtual environment provides the preservation of forensic data. The step (216) is fundamental for maintaining a secure and accessible repository of the collected forensic evidence, facilitating subsequent analysis and investigations.
In step (218), storing the generated network activity log in the storage unit (106) further underscores dedication of the method to data preservation. The step (218) provides all relevant forensic data, together with memory, disk, and network activities of the target VM, which are securely stored and readily available for thorough forensic examination.
FIG. 3 illustrates, the architecture of a VMI based Forensic data acquisition system, in accordance with the embodiments of the present disclosure. VMI based Forensic data acquisition system is considered to gather forensic data from a virtual environment securely. Forensic Management block comprises: Forensic Controller likely represents the command and control center for the forensic process, handling the initiation and management of the data acquisition task. Next Forensic Data Collector connected to the Forensic Controller, symbolizes the mechanism which collects the forensic data from the virtual environment.
In the center, the Virtual Environment block which showcases a Target VM. The Virtual Environment is the environment where the virtual machine operates and from which forensic data is to be acquired. The Virtual Environment indicates the layer of the system (100) where the VM resides and where data at the hypervisor layer can be accessed and analyzed without altering the current state of the VM, which is important for preserving the integrity of forensic evidence.
Further the Storage block comprises: Evidence Storage intended to store the forensic data such as the memory state snapshots and disk images captured by the inspection device. Another one is Log Storage dedicated to storing logs related to network activity which provides insights into memory, disk, and network activities of the Target VM. The arrows indicate the flow of data from the Forensic Data Collector to the Target VM and from there to both the Evidence Storage and Log Storage, suggesting that data is collected, analyzed, and then preserved. The said architecture reflects the system (100) described in the independent embodiment, where a first computing device (102) houses the virtual environment with the target VM, and the inspection device (104) is responsible for capturing data and preserving data in a storage unit (106). The system (100) enables the capture of a memory state snapshot and disk images from the target VM, and the generation of a network activity log, all without compromising the integrity of the data or altering the state of the target VM.
The present disclosure utilizes a VMI, which allows for the examination and collection of digital evidence directly from virtual machines without altering the operation. VMI is more discreet than traditional ones, letting analysts access system data at a deeper level, which is especially valuable for capturing fleeting information that could otherwise be lost. VMI also retrieves disk images for detailed offline analysis and increases visibility into VM network activity, bypassing any compromised monitoring systems. Said capabilities are required for identifying cyber threats and conducting non-intrusive investigations. Besides forensics, VMI is used for detecting malware and proactive threat hunting, using mechanism to spot unusual behaviours, which helps prevent data breaches and mitigate cyberattack damages.
Throughout the present disclosure, the term “computing device” relates to an electronic device, including but are not limited to, a cellular phone, a smart phone, a personal digital assistant (PDA), a handheld device, a wireless modem, a laptop, a computer, a server, a personal computer, a work station, a mobile terminal, a subscriber station, a remote station, a user terminal, a terminal, a subscriber unit, an access terminal, a wearable computer, a wearable computing device, a smart watch, a server etc. The computing device may include a casing, a memory, a processor, a network interface card, a microphone, a speaker, a keypad, and a display.
Throughout the present disclosure, the term ‘processing means’ or ‘microprocessor’ or ‘processor’ or ‘processors’ includes, but is not limited to, a microprocessor, a microcontroller, a complex instruction set computing (CISC) microprocessor, a reduced instruction set (RISC) microprocessor, a very long instruction word (VLIW) microprocessor, or any other type of processing circuit.
In an aspect, any or a combination of machine learning mechanisms such as decision tree learning, Bayesian network, deep learning, random forest, supervised vector machines, reinforcement learning, prediction models, Statistical Algorithms, Classification, Logistic Regression, Support Vector Machines, Linear Discriminant Analysis, K-Nearest Neighbours, Decision Trees, Random Forests, Regression, Linear Regression, Support Vector Regression, Logistic Regression, Ridge Regression, Partial Least-Squares Regression, Non-Linear Regression, Clustering, Hierarchical Clustering – Agglomerative, Hierarchical Clustering – Divisive, K-Means Clustering, K-Nearest Neighbours Clustering, EM (Expectation Maximization) Clustering, Principal Components Analysis Clustering (PCA), Dimensionality Reduction, Non-Negative Matrix Factorization (NMF), Kernel PCA, Linear Discriminant Analysis (LDA), Generalized Discriminant Analysis (kernel trick again), Ensemble Algorithms, Deep Learning, Reinforcement Learning, AutoML (Bonus) and the like can be employed to learn sensor/hardware components.
The term “non-transitory storage device” or “storage” or “memory,” as used herein relates to a random access memory, read only memory and variants thereof, in which a computer can store data or software for any duration.
In the description of the present invention, it is also to be noted that, unless otherwise explicitly specified or limited, the terms “disposed,” “mounted,” and “connected” are to be construed broadly, and may for example be fixedly connected, detachably connected, or integrally connected, either mechanically or electrically. They may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meaning of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Modifications to embodiments and combination of different embodiments of the present disclosure described in the foregoing are possible without departing from the scope of the present disclosure as defined by the accompanying claims. Expressions such as “including”, “comprising”, “incorporating”, “have”, “is” used to describe and claim the present disclosure are intended to be construed in a non- exclusive manner, namely allowing for items, components or elements not explicitly described also to be present. Reference to the singular is also to be construed to relate to the plural where appropriate.
Although embodiments have been described with reference to a number of illustrative embodiments thereof, it should be understood that numerous other modifications and embodiments can be devised by those skilled in the art that will fall within the spirit and scope of the principles of the disclosure. More particularly, various variations and modifications are possible in the component parts and/or arrangements of the subject combination arrangement within the scope of the present disclosure, the drawings and the appended claims. In addition to variations and modifications in the component parts and/or arrangements, alternative uses will also be apparent to those skilled in the art.

I/We claims:
1. A system (100) for forensic data acquisition through virtual machine introspection (VMI), the system (100) comprising:
a first computing device (102) comprising:
a virtual environment which comprises a target virtual machine (VM), wherein the virtual environment facilitates access to and analysis of data at a hypervisor layer without altering a current state of the target VM to identify an unauthorized access attempt;
an inspection device (104) operatively coupled to the virtual environment, wherein the inspection device (104) receives a set of data processing input from a forensic data collector to:
capture a memory state snapshot of the target VM via the hypervisor without evidence tampering;
retrieve a plurality of disk images from the target VM to preserve a complete state for an offline analysis; and
provide visibility into network activity of the target VM by tracking and documenting the network traffics within the virtual environment and generate a network activity log;
a storage unit (106) operatively connected to the inspection device (104) and the virtual environment, wherein the storage unit (106) is arranged to:
store the captured memory state snapshot and the retrieved disk images by the inspection device (104); and
store the generated network activity log indicative of memory, disk, and network activities of the target VM.
2. The system (100) of claim 1, wherein the inspection device (104) comprises a processing module to detect deviations from the preset behavior patterns within the virtualized environment by analysing the captured memory state snapshot, the retrieved disk images and the generated network activity log.
3. The system (100) of claim 1, wherein the processing module transmits an alert notification to the inspection device (104), upon the detected deviations, wherein the detected deviations are selected from the malware infections, the insider threats, and the unauthorized access attempts.
4. The system (100) of claim 2, wherein the processing module utilizes a machine learning technique for detecting the deviations.
5. The system (100) of claim 1, further comprising an interface for integrating the inspection device (104) with one or more external digital forensic platforms.
6. The system (100) of claim 5, wherein the interface enables complex analyses and the generation of extensive forensic reports through correlation with other forensic artifacts.
7. The system (100) of claim 1, wherein the virtual environment is integrated with the inspection device (104) through application programming interfaces (APIs) provided by the hypervisor.
8. The system (100) of claim 1, wherein the hypervisor is selected from VMware, Xen, or KVM, and wherein the APIs facilitate access and analysis of low-level virtual machine states.
9. The system (100) of claim 1, wherein the inspection device (100) further employs one or more memory forensics techniques to retrieve volatile data from the target VM.
10. A method for forensic data acquisition through virtual machine introspection (VMI), the method comprising:
initiating, on a first computing device (102), access to a target virtual machine (VM) within a virtual environment, wherein the virtual environment comprises a hypervisor layer;
facilitating, via the virtual environment, analysis of data at the hypervisor layer without altering a current state of the target VM to identify an unauthorized access attempt;
receiving, at an inspection device operatively coupled to the virtual environment, a set of data processing input from a forensic data collector;
capturing, by the inspection device (104) via the hypervisor, a memory state snapshot of the target VM without evidence tampering;
retrieving, by the inspection device, a plurality of disk images from the target VM to preserve a complete state for an offline analysis;
tracking and documenting, by the inspection device (104), network traffic within the virtual environment to provide visibility into network activity of the target VM;
generating, by the inspection device (104), a network activity log based on the tracked network traffic;
storing, in a storage unit (106) operatively connected to the inspection device (104) and the virtual environment, the captured memory state snapshot and the retrieved disk images; and
storing, in the storage unit (106), the generated network activity log indicative of memory, disk, and network activities of the target VM.

Disclosed is a system for forensic data acquisition through virtual machine introspection (VMI), comprising a first computing device which comprises a virtual environment housing a target virtual machine (VM). The virtual environment enables access to and analysis of data at the hypervisor layer without altering the current state of target VM, aiming to identify unauthorized access attempts. An inspection device, operatively coupled to the virtual environment, receives data processing input from a forensic data collector to capture a memory state snapshot of the target VM via the hypervisor without evidence tampering, retrieve a plurality of disk images from the target VM for offline analysis preservation, and provide visibility into the network activity of VM by tracking and documenting network traffics within the virtual environment to generate a network activity log. A storage unit, operatively connected to both the inspection device and the virtual environment, is arranged to store the captured memory state snapshot, the retrieved disk images, and the generated network activity log, thereby indicating memory, disk, and network activities of the target VM. , Claims:I/We claims:
1. A system (100) for forensic data acquisition through virtual machine introspection (VMI), the system (100) comprising:
a first computing device (102) comprising:
a virtual environment which comprises a target virtual machine (VM), wherein the virtual environment facilitates access to and analysis of data at a hypervisor layer without altering a current state of the target VM to identify an unauthorized access attempt;
an inspection device (104) operatively coupled to the virtual environment, wherein the inspection device (104) receives a set of data processing input from a forensic data collector to:
capture a memory state snapshot of the target VM via the hypervisor without evidence tampering;
retrieve a plurality of disk images from the target VM to preserve a complete state for an offline analysis; and
provide visibility into network activity of the target VM by tracking and documenting the network traffics within the virtual environment and generate a network activity log;
a storage unit (106) operatively connected to the inspection device (104) and the virtual environment, wherein the storage unit (106) is arranged to:
store the captured memory state snapshot and the retrieved disk images by the inspection device (104); and
store the generated network activity log indicative of memory, disk, and network activities of the target VM.
2. The system (100) of claim 1, wherein the inspection device (104) comprises a processing module to detect deviations from the preset behavior patterns within the virtualized environment by analysing the captured memory state snapshot, the retrieved disk images and the generated network activity log.
3. The system (100) of claim 1, wherein the processing module transmits an alert notification to the inspection device (104), upon the detected deviations, wherein the detected deviations are selected from the malware infections, the insider threats, and the unauthorized access attempts.
4. The system (100) of claim 2, wherein the processing module utilizes a machine learning technique for detecting the deviations.
5. The system (100) of claim 1, further comprising an interface for integrating the inspection device (104) with one or more external digital forensic platforms.
6. The system (100) of claim 5, wherein the interface enables complex analyses and the generation of extensive forensic reports through correlation with other forensic artifacts.
7. The system (100) of claim 1, wherein the virtual environment is integrated with the inspection device (104) through application programming interfaces (APIs) provided by the hypervisor.
8. The system (100) of claim 1, wherein the hypervisor is selected from VMware, Xen, or KVM, and wherein the APIs facilitate access and analysis of low-level virtual machine states.
9. The system (100) of claim 1, wherein the inspection device (100) further employs one or more memory forensics techniques to retrieve volatile data from the target VM.
10. A method for forensic data acquisition through virtual machine introspection (VMI), the method comprising:
initiating, on a first computing device (102), access to a target virtual machine (VM) within a virtual environment, wherein the virtual environment comprises a hypervisor layer;
facilitating, via the virtual environment, analysis of data at the hypervisor layer without altering a current state of the target VM to identify an unauthorized access attempt;
receiving, at an inspection device operatively coupled to the virtual environment, a set of data processing input from a forensic data collector;
capturing, by the inspection device (104) via the hypervisor, a memory state snapshot of the target VM without evidence tampering;
retrieving, by the inspection device, a plurality of disk images from the target VM to preserve a complete state for an offline analysis;
tracking and documenting, by the inspection device (104), network traffic within the virtual environment to provide visibility into network activity of the target VM;
generating, by the inspection device (104), a network activity log based on the tracked network traffic;
storing, in a storage unit (106) operatively connected to the inspection device (104) and the virtual environment, the captured memory state snapshot and the retrieved disk images; and
storing, in the storage unit (106), the generated network activity log indicative of memory, disk, and network activities of the target VM.