clouds and data (vectorfusionart/

Reaching into virtual machines for forensic data

While the security of data and applications in the cloud are generally the responsibility of the tenant, it’s difficult for cybersecurity analysts to investigate data breaches in infrastructure-as-a-service platforms where cloud service providers own the hardware, and processing, storage and resources are distributed.

Researchers at Sandia National Laboratories realized cybersecurity analysts working with on-premises or off-premises IaaS clouds were unable to gather enough data or artifacts from active virtual machines (VMs) in cloud systems to conduct digital forensic investigations and incident response in real time without disturbing the user environment or alerting intruders.

To address this gap, they developed the Cloud Hypervisor-forensics and Incident Response Platform. CHIRP gives analysts a way to extract data from cloud infrastructure at the hypervisor level.

Hypervisors traditionally provide a limited set of application programming interfaces to help software or security analysts access forensic information from the VMs. “We thought those APIs were not enough,” Sandia cybersecurity researcher Caleb Loverro said in a video. “That's why we created CHIRP -- to essentially be able to provide our own APIs. Being given full access to the hardware, we would actually have the same permissions as the hypervisor itself.”

The technology uses what the researchers call “virtual machine introspection”  that reaches into the VM to collect data on processor registers, memory, disks, networking and any other hardware-level events critical for reconstructing events, files and operations, the researchers wrote in a 2016 paper. The VMI allows them to “to take advantage of the hypervisor as an instrumentation platform and to integrate that data with more traditional collection mechanisms,” they wrote.

CHIRP’s in-depth, scalable VMI allows fast handling of events, as well as direct access to VM in a safe, stable fashion, Sandia officials said in their description of the technology. Analysts can spot suspicious activities, track and record attacker actions for forensic analysis and retrieve materials transparently from the targeted machines automatically or on-demand.

The goal of the program was to create a common information platform that collected data from all operating systems, all hypervisors, memory, disks and networks and normalize the information so security analysts could have real-time situational awareness, CHIRP Principal Investigator Vincent Urias said.

Those capabilities do not exist in the commercial space, fellow cybersecurity researcher William Stout said. “What makes this technology super novel and super exciting for us as defenders -- and for us as  researchers who provide tools for defenders -- is [attackers] can no longer hide. We can see everything that they're doing, and we can pull out that information feed it to people to take action now,” he said.

“I think the ultimate goal for a lot of this -- regardless of where you sit in government industry or academia – is to empower the analyst today,” Urias said. “They’re hamstringed, and we need to give them the power to take back the ability for them to do forensics and incident response when moving to the cloud.”

About the Author

Susan Miller is executive editor at GCN.

Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company's government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.

Miller has a BA and MA from West Chester University and did Ph.D. work in English at the University of Delaware.

Connect with Susan at [email protected] or @sjaymiller.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected