HYPERVISOR-HOSTED VIRTUAL MACHINE FORENSICS
First Claim
1. A computer system configured to acquire forensics data from running virtual machines, the computer system comprising:
- a processor configured to execute computer-executable instructions; and
memory storing computer-executable instructions configured to;
run a hypervisor that hosts a virtualization environment including a root virtual machine partition and one or more child virtual machine partitions;
provide a forensics partition that includes a forensics service application programming interface configured to target one or more virtual machines and acquire forensics data from a targeted virtual machine running in a particular child virtual machine partition via one or more inter-partition communication mechanisms supported by the virtualization environment hosted by the hypervisor; and
expose the forensics service application programming interface to a forensics tool as part of a cloud-based forensics service.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer system acquires forensics data from running virtual machines in a hypervisor-hosted virtualization environment. The computer system provides a forensics partition as an additional root virtual machine partition or child virtual machine partition. The forensics partition includes a forensics service application programming interface configured to target one or more virtual machines and acquire forensics data from a targeted virtual machine running in a particular child virtual machine partition. The forensics service application programming interface is configured to communicate via one or more inter-partition communication mechanisms such as an inter-partition communication bus, a hyercall interface, or forensics switch implemented by the hypervisor-hosted virtualization environment. The forensics service application programming interface can be exposed to a forensics tool as part of a cloud-based forensics service.
103 Citations
20 Claims
-
1. A computer system configured to acquire forensics data from running virtual machines, the computer system comprising:
-
a processor configured to execute computer-executable instructions; and memory storing computer-executable instructions configured to; run a hypervisor that hosts a virtualization environment including a root virtual machine partition and one or more child virtual machine partitions; provide a forensics partition that includes a forensics service application programming interface configured to target one or more virtual machines and acquire forensics data from a targeted virtual machine running in a particular child virtual machine partition via one or more inter-partition communication mechanisms supported by the virtualization environment hosted by the hypervisor; and expose the forensics service application programming interface to a forensics tool as part of a cloud-based forensics service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented method performed by a computer system to acquire forensics data from running virtual machines, the computer-implemented method comprising:
-
implementing a hypervisor-hosted virtualization environment that includes a root virtual machine partition and one or more child virtual machine partitions; providing a forensics partition that includes a forensics service application programming interface configured to target one or more virtual machines and acquire forensics data from a targeted virtual machine running in a particular child virtual machine partition via one or more inter-partition communication mechanisms supported by the virtualization environment hosted by the hypervisor; and exposing the forensics service application programming interface to a forensics tool as part of a cloud-based forensics service. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer-readable storage medium storing computer-executable instructions that, when executed by a computer system, cause the computer system to implement:
-
a hypervisor-hosted virtualization environment including a root virtual machine partition and one or more child virtual machine partitions; and a forensics partition that includes a forensics service application programming interface configured to target one or more virtual machines and acquire forensics data from a targeted virtual machine running in a particular child virtual machine partition via one or more inter-partition communication mechanisms supported by the hypervisor-hosted virtualization environment, wherein the forensics service application programming interface is exposed to a forensics tool as part of a cloud-based forensics service. - View Dependent Claims (19, 20)
-
Specification