[Libguestfs] [libguestfs] Libguestfs as filesystem forensic tool
Richard W.M. Jones
rjones at redhat.com
Wed Mar 2 15:53:48 UTC 2016
On Wed, Mar 02, 2016 at 05:47:40PM +0200, noxdafox wrote:
> Greetings,
>
> I am playing around with the idea of using libguestfs as a forensic
> tool to investigate VM disk images.
>
> Some use cases as example:
> * Sandbox for malware analysis.
> * Incident response in cloud environments.
>
> Libguestfs is a precious resource in this case as it allows to
> abstract the disk image internals and expose them as mountable
> devices.
>
> Combined with some state of the art tool such as The Sleuth Kit it
> would turn it into a pretty powerful forensic tool.
> http://www.sleuthkit.org/
>
> I played around with some proof-of-concept and the idea seems to work.
>
> The question I'd like to ask is if this feature would interest the
> libguestfs community or if I shall fork the project
> (libguestforensic?) and, if so, what is the preferable way to do it.
Actually I believe parts of libguestfs (and especially hivex) are
already used in this way.
Anyhow you're free to fork libguestfs provided you obey the license.
It may be easier/less work if you submit patches upstream where they
make sense for the upstream project, such as generally useful APIs
(like the ntfscat-i API).
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
More information about the Libguestfs
mailing list