A Survey of Hypervisor Forensic in Cloud Computing

DOI : 10.17577/IJERTV4IS050822

Download Full-Text PDF Cite this Publication

Text Only Version

A Survey of Hypervisor Forensic in Cloud Computing

Lalit Mohan Joshi1, Dr. Rajendra Bharti2

1M Tech scholar, 2Assistant Professor Department of Computer Science and Engineering

Bipin Tripathi Kumaon Institute of Technology Dwarahat,Uttarakhand(India)263653

Abstract-Hypervisor in cloud computing is an emerging technique of forensic, where users can leverage the computing infrastructure as a service as a infrastructure stack or commodity. The Privacy, durability and security concerns of this infrastructure arising from the large collocations of tentants are, however Pose and Significant considerable challenges in its widespread deployment. The current and new work address in one aspect of the security problem by facilitating forensic investigation to determine and deploy if the other tentants maliciously violated these virtual tentant spaces. It present the design, application and limitations of a Hypervisor types those are applicable and usable for different parameters and areas. The limitations of a software prototype in terms of the Hypervisor is called the Virtual Machine. Nature of hypervisor for different paradigm is also approached. A discussion on hypervisor with different types with their working nature is also provided.


A hypervisor or Virtual machine monitor (VMM) or Virtual Machine Manager is defind as the piece of computer software. It can be refered as firmware or hardware that creates and runs virtual machines

A hypervisor is like an operating system, it refer that it knows how to act as a traffic cop to make things happen in a manner as a sequentially order. The hypervisor lies at the lowest levels of the hardware environment. Reason behind in cloud computing you need to support many different operating environments, the hypervisor treats like an ideal delivery mechanism.

Without having to physically copy that application onto each system, the hypervisor lets you show the same application on lots of systems. One twist: Due to the hypervisor architecture, it can load any (or many) different operating system as though it were just another application. So For getting things virtualized quickly, rapidly, beneficiary and efficiently, the use of hypervisor is a very practically in a manner

A hypervisor runs on a computer which may be one or more virtual machines is defined as a HOST MACHINE.

Each virtual machine is called a GUEST MACHINE. The guest operating systems is presented by the Hypervisor with a virtual operating platform and execution of the guest operating systems is managed by the Hypervisor. The virtualized hardware resources may shared by the multiple instances of a variety of operating systems.

A hypervisor, is defind as a program that allows multiple operating systems to share a single hardware host. Each operating system appears to have the host's processor, memory, and other resources all to itself. Hypervisor is used to a controls the resource and host processor, allocating what is needed to each operating system in turn and making sure that the guest operating systems(called virtual machines) cannot disrupt each other.


You must understand the nature of the hypervisor-How it works, How it can be applied and rather than like the Windows operating system Its designed like a mainframe OS.

The hypervisor therefore schedules the amount of access that guest OS have to everything from the CPU; to memory; to disk I/O; and to any other I/O mechanisms.

With the help of virtualization technology, you can set up the hypervisor to split the physical computers resources. Resources can be split 50-50 or 80-20 between two guest OS,

For example-On the absence of the hypervisor, you simply cant do that with Windows.

The beauty and strength of this arrangement is that the hypervisor is capable to do all the heavy lifting.

The guest operating system doesnt care or it can have no idea regarding it that its running in a virtual partition; it thinks that it has a computer all to itself.

A Hypervisor-call handler is included by the Virtual Machine control program that intercepts DIAG ("Diagnose") instructions used within a virtual machine. Working of Hypervisor call Handler provides fast-path non-virtualized execution of file-system access and other

operations (DIAG is a model-dependent privileged instruction, not used in normal programming, and thus is not virtualized. Thats is why it is available for use as a signal to the "host" operating system).


There are different types of hypervisors those support different aspects of the cloud. Types of Hypervisors are following as:-

Native hypervisors:-Native Hypervisor defines as the hypervisor, which sit directly on the hardware platform those are most likely used to gain better performance for particular users. Native hypervisors run directly on the host's hardware to control the hardware as well as to manage guest operating systems. For this reason, they are sometimes called BARE METAL hypervisors.

Embedded hypervisors:-Embedded hypervisor defines as the hypervisor those are integrated into a processor on a separate chip. Use of this type of hypervisor is to gain performance after improvements for a service provider.

Hosted hypervisors:Hosted hypervisor defines as the hypervisor run as a distinct software layer above both the hardware and the OS. Use of this type of hypervisor is in private as well as public clouds for gaining performance after

improvements. On a conventional operating system Hosted hypervisor can run, like as the other computer programs do.

Fig.1-Native Hypervisor

Fig. 2-Hosted Hypervisor


4.1-Distributed Denial Of Service Attack with types:-

4.1.1-Tear Drop:-In this types of attack the attacker exploits the weakness of IP packet reassembly process by purposely sending packets with overlapping fragment offset field.

4.1.2-Jolt:-In this type of attack, In a target machine the attacker sends very large, fragmented ICMP packets .The target machine is unable to reassemble them for use in such a way that ICMP packets are fragmented.

4.1.3-Ping of Death:- In this type of attack the limit of single IP packet is up to 65536-bytes, the attacker can make the fragments add up to more than this value. ICMP associates these attacks up to the limit of 65536 bytes, but can contain any protocol.

4.1.4-Smurf:- In this type of attack the with spoofed source IP address of the victim the attacker sends many ICMP echo request packets. Victim receives all replies to this broadcast, resulting in DOS (Denial Of Service).

4.1.5-Bonk:- This type of attack is similar or we can say that it is a variant of the teardrop attack and used to manipulate the fragment offset field in TCP/IP packets. Bonk attack causes the target machine to reassemble a packet manipulates this number and that is much too big to be reassembled and causes the target computer to destroy or crash

4.1.6-Boink:- Boink attack is a modified version of the bonk attack, it allows UDP port ranges. It causes the target computer to crash and also manipulates the fragment offset field .

4.1.7-NewTear:- NewTear attack is a simply modified version of Teardrop which is used to increases the UDP header length field to twice the size of the packet, then changes padding length

4.2-Tools for data fusion-

4.2.1-Wireshark:- Wireshark is a network packet analyzer which is used to captures live network packet data as well a to display the packet data with protocol in a detailed manner as information.

4.2.2Snort:- It is defind as an open source NIDS(Network- based IDS tool) and able to analysis real-time traffic as well as performed it and on Internet Protocol (IP) networks logged in the packets

4.3-Study of Cloud:-

We will study about the cloud that how we will implement it for hypervisor forensic investigation,as we are survey about the Hypervisor forensic so we have to work with cloud after implementing it, After implementing the cloud we will use the tools for investigation

and to prevent our system from Distributed Denial of Service Attacks.

Cloud Forensics is a derived branch of digital forensics. Cloud forensics is digital forensics applied on cloud environment. Cloud forensics involves gathering information from cloud environment for the purpose of investigation.


In this paper, we introduced inverted pyramid approach,which gives the systematic procedure for Cloud and Network forensic investigator.This approach shows path for Network analysis,stymetric approach with log- filebased timestamps. There is a lot of research required in Cloud and Network Security before they can be accepted in court of law.

We discussed all challenges of hypervisor forensic in cloud computing investigation and proposed solutions addressing clarified challenges. The common cause between all these types of Hypervisor is mainly the lack of an inclusive global standard and origin, which leads to security and privacy issues, absence of a proper cloud deployment framework and confusion of computer forensic investigators about collecting/preserving evidences in such environments.

Furthermore, there is a huge demand for updating current computer forensic investigation methods, as the day by day technology improvements will make it completely out of day and useless in near future.


[1]. M. Rosenblum, E. Garfinkel, S. Devine, and S. A. Her- rod. Using the simos machine simulator to study complex computer systems. Modeling and Computer Simulation, 7(1):78103, 1997.

[2]. Cheng Yan, Cybercrime forensic system in cloud computing, Image Analysis and Signal Processing (IASP), 2011 International Conference on , vol., no., pp.612-615, 21-23 Oct. 2011, [URL] http://ieeexplore.ieee.org/search/srchabstract.jsp?arnumber


[3]. F. Xinwen, L. Zhen, Y. Wei, and L. Junzhou, "Cyber Crime Scene Investigations (C2;SI) through Cloud Computing," in IEEE 30th International Conference on Distributed Computing Systems Workshops (ICDCSW), 2010, 2010, pp. 26-31.

[4]. "Securing Virtualization in Real-World Environments," White paper, 2009.Rosenblum M. and Garfinkel T. Virtual machine monitors: current technology and future trends. Computer, 38(5):39 47, May 2005.

[5]. Renato J. Figueiredo, Peter A. Dinda, and J. Fortes. A case for grid computing on virtual machines. In ICDCS 03: Proceedings of the 23rd International Conference on Distributed Computing Systems, page 550, Washington, DC, USA, 2003. IEEE Computer Society.

[6]. J. Mutch, (2010), "How to Steal Data from the Cloud,"[Online]. Available: http://www.cloudbook.net/resources/stories/how-tosteal- data-from-the-cloud, [Oct. 15, 2014] [7]. N. L. Beebe and J. G. Clark, "A hierarchical, objectives-based framework for the digital investigations process," Digital Investigation, vol. 2, no. 2, pp. 147-167, 2005.

[8]. E. S. Pilli, R. C. Joshi, and R. Niyogi, "Network forensic frameworks: Survey and Research Challenges," Digital Investigation, vol. 7, no. 1/2, pp. 14-27, 2010.

Leave a Reply