HYPERVISOR-HOSTED VIRTUAL MACHINE FORENSICS

US 20160034295A1
Filed: 07/22/2015
Published: 02/04/2016
Est. Priority Date: 07/30/2014
Status: Active Grant

First Claim

Patent Images

1. A computer system configured to acquire forensics data from running virtual machines, the computer system comprising:

a processor configured to execute computer-executable instructions; and

memory storing computer-executable instructions configured to;

run a hypervisor that hosts a virtualization environment including a root virtual machine partition and one or more child virtual machine partitions;

provide a forensics partition that includes a forensics service application programming interface configured to target one or more virtual machines and acquire forensics data from a targeted virtual machine running in a particular child virtual machine partition via one or more inter-partition communication mechanisms supported by the virtualization environment hosted by the hypervisor; and

expose the forensics service application programming interface to a forensics tool as part of a cloud-based forensics service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system acquires forensics data from running virtual machines in a hypervisor-hosted virtualization environment. The computer system provides a forensics partition as an additional root virtual machine partition or child virtual machine partition. The forensics partition includes a forensics service application programming interface configured to target one or more virtual machines and acquire forensics data from a targeted virtual machine running in a particular child virtual machine partition. The forensics service application programming interface is configured to communicate via one or more inter-partition communication mechanisms such as an inter-partition communication bus, a hyercall interface, or forensics switch implemented by the hypervisor-hosted virtualization environment. The forensics service application programming interface can be exposed to a forensics tool as part of a cloud-based forensics service.

103 Citations

View as Search Results

20 Claims

1. A computer system configured to acquire forensics data from running virtual machines, the computer system comprising:
- a processor configured to execute computer-executable instructions; and
  
  memory storing computer-executable instructions configured to;
  
  run a hypervisor that hosts a virtualization environment including a root virtual machine partition and one or more child virtual machine partitions;
  
  provide a forensics partition that includes a forensics service application programming interface configured to target one or more virtual machines and acquire forensics data from a targeted virtual machine running in a particular child virtual machine partition via one or more inter-partition communication mechanisms supported by the virtualization environment hosted by the hypervisor; and
  
  expose the forensics service application programming interface to a forensics tool as part of a cloud-based forensics service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer system of claim 1, wherein the forensics partition is implemented as an additional root partition that is more privileged than each of the one or more child virtual machine partitions.
  - 3. The computer system of claim 1, wherein the forensics partition is implemented as an additional child virtual machine partition.
  - 4. The computer system of claim 1, wherein the one or more inter-partition communication mechanisms include an inter-partition bus that is implemented by the forensics partition and the particular child virtual machine partition.
  - 5. The computer system of claim 1, wherein the one or more inter-partition communication mechanisms include a hypercall interface that is implemented by the forensics partition and that is configured to invoke a hypercalls application programming interface of the hypervisor.
  - 6. The computer system of claim 1, wherein the one or more inter-partition communication mechanisms include a forensics switch that is implemented by the root virtual machine partition and that interconnects the forensics service application programming interface and the particular child virtual machine partition.
  - 7. The computer system of claim 6, wherein the memory further stores computer-executable instructions configured to:
    - dynamically add a forensics interface to a child virtual machine partition; and
      
      connect the forensics switch to the forensics interface.
  - 8. The computer system of claim 1, wherein the forensics service application programming interface is configured to convert a call from the forensics tool into a call supported by the one or more inter-partition communication mechanisms.
  - 9. The computer system of claim 1, wherein the forensics data includes one or more of:
    - filesystem artifacts, network artifacts, memory artifacts, and event log artifacts.

10. A computer-implemented method performed by a computer system to acquire forensics data from running virtual machines, the computer-implemented method comprising:
- implementing a hypervisor-hosted virtualization environment that includes a root virtual machine partition and one or more child virtual machine partitions;
  
  providing a forensics partition that includes a forensics service application programming interface configured to target one or more virtual machines and acquire forensics data from a targeted virtual machine running in a particular child virtual machine partition via one or more inter-partition communication mechanisms supported by the virtualization environment hosted by the hypervisor; and
  
  exposing the forensics service application programming interface to a forensics tool as part of a cloud-based forensics service.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The computer-implemented method of claim 10, wherein the forensics partition is implemented as an additional root partition that is more privileged than each of the one or more child virtual machine partitions.
  - 12. The computer-implemented method of claim 10, wherein the forensics partition is implemented as an additional child virtual machine partition.
  - 13. The computer-implemented method of claim 10, further comprising:
    - communicating a request for forensics data between the forensics service application and the targeted virtual machine over an inter-partition bus that is implemented by the forensics partition and the particular child virtual machine partition.
  - 14. The computer-implemented method of claim 10, further comprising:
    - communicating a request for forensics data between the forensics service application and the targeted virtual machine using a hypercall interface that is implemented by the forensics partition and that is configured to invoke a hypercalls application programming interface of the hypervisor.
  - 15. The computer-implemented method of claim 10, further comprising:
    - communicating a request for forensics data between the forensics service application and the targeted virtual machine through a forensics switch that is implemented by the root virtual machine partition and that interconnects the forensics service application programming interface and the particular child virtual machine partition.
  - 16. The computer-implemented method of claim 15, further comprising;
    - dynamically adding a forensics interface to a child virtual machine partition; and
      
      connecting the forensics switch to the forensics interface.
  - 17. The computer-implemented method of claim 10, wherein the forensics data includes one or more of:
    - filesystem artifacts, network artifacts, memory artifacts, and event log artifacts.

18. A computer-readable storage medium storing computer-executable instructions that, when executed by a computer system, cause the computer system to implement:
- a hypervisor-hosted virtualization environment including a root virtual machine partition and one or more child virtual machine partitions; and
  
  a forensics partition that includes a forensics service application programming interface configured to target one or more virtual machines and acquire forensics data from a targeted virtual machine running in a particular child virtual machine partition via one or more inter-partition communication mechanisms supported by the hypervisor-hosted virtualization environment, wherein the forensics service application programming interface is exposed to a forensics tool as part of a cloud-based forensics service.
- View Dependent Claims (19, 20)
- - 19. The computer-readable storage medium of claim 18, wherein the one or more inter-partition communication mechanisms include at least one of:
    - an inter-partition bus that is implemented by the forensics partition and the particular child virtual machine partition, anda hypercall interface that is implemented by the forensics partition and that is configured to invoke a hypercalls application programming interface of the hypervisor.
  - 20. The computer-readable storage medium of claim 18, further storing computer-executable instructions that, when executed by the computer system, cause the computer system to implement:
    - a forensics switch within the root virtual machine partition, wherein the forensics switch interconnects the forensics service application programming interface and the particular child virtual machine partition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Cochran, Jerry

Granted Patent

US 9,851,998 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5077   Logical partitioning of res...

Y02D 10/00   Energy efficient computing,...

HYPERVISOR-HOSTED VIRTUAL MACHINE FORENSICS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

103 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

HYPERVISOR-HOSTED VIRTUAL MACHINE FORENSICS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links