[libvirt-users] converting save/dump output into physical memory image
NoxDaFox
noxdafox at gmail.com
Sat Jun 2 18:20:58 UTC 2012
Andrew Tappert <andrew at ...> writes:
>
>
> A lot of people in the security community, myself included, are
> interested in memory forensics these days. Virtualization is a natural
> fit with memory forensics because it allows one to get access to a
> guest's memory without having to introduce any extra software into the
> guest or otherwise interfere with it. Incident responders are
> particularly interested in getting memory dumps from systems they're
> investigating.
>
I am definitely interested in this concept!
I haven't played much yet with memory forensic tools (like Volatility) as atm
I'm focusing on other things but I'm planning to switch to it in a very near
future.
For what I know it's not possible to analyze memory contained in libvirt
snapshots taken through qemu savevm.
This feature is really powerful under my perspective as it atomically takes the
state of the whole machine: disk, memory, processes; everything is saved in the
same moment.
I am already able to get all the useful information from the disk state:
through the qemu convert I can get a qcow2 disk image containing the state
of the disk
at the moment of the snapshot, through libguestfs I can mount and read this
image to see FS changes.
I am looking for a similar solution for memory, given a snapshot taken
through the savevm command I want to get a file to read through Volatility.
More information about the libvirt-users
mailing list