As datacenter solutions become dominantly virtual machine based incident responders in traditional enterprises, information technology environments as well as cloud service provider environments will face great challenges in conducting forensics acquisition and analysis at scale.
Traditional forensic tools work at the host level, often in user mode to acquire artifacts from the filesystem and memory via user-mode techniques and application programming interfaces (APIs) or, in some cases, kernel-mode drivers or shims. These traditional solutions do not scale in large datacenter environments and can be compromised and thwarted by more sophisticated malware using anti-forensics capabilities and techniques.
When performing security investigation and forensic analysis in a small enterprise environment, analysis can be done on a host-by-host basis using tools for forensic acquisition and analysis. Performing forensic analysis for security investigation of cloud services may involve gathering data from hundreds of hosts for analysis. Going individually to each host to do forensic acquisition or analysis in those environments is untenable.
Some conventional tools load an agent on every host in the environment and use a centralized controller to reach out to the agents for acquiring forensics data and artifacts. However, loading an agent on every host does not scale well.
Furthermore, forensic acquisition and analysis of stored data does not provide live memory or current state of a running virtual machine.