(Short Paper) Evidence Collection and Preservation System with Virtual Machine Monitoring

In a system audit and verification, it is important to securely collect and preserve evidence of execution environments, execution processes, and program execution results. Evidence-based verification of program processes ensures their authenticity; for example, the processes include no altered/infected program library. This paper proposes a solution for collection of evidence on program libraries based on Virtual Machine Monitor (VMM). The solution can solve semantic gap by obtaining library file path names. This paper also shows a way to obtain hash values of library files from a guest OS. Furthermore, this paper provides examples of evidence on program xecution and the overhead of the solution.