On 05/05/2011 11:56 AM, Andrew Tappert wrote: > > A lot of people in the security community, myself included, are > interested in memory forensics these days. Virtualization is a natural > fit with memory forensics because it allows one to get access to a > guest's memory without having to introduce any extra software into the > guest or otherwise interfere with it. Incident responders are > particularly interested in getting memory dumps from systems they're > investigating. > > Virsh has "save" and "dump" commands for storing the state of a guest to > a file on disk, but memory of KVM guests doesn't get saved in the > "standard" input format for memory forensics tools, which is a raw > physical memory image. (This is what you'd get via the classical "dd > /dev/mem" approach or the contemporary equivalent using the crash > driver; and VMware Server and Workstation produce .vmem files, which are > such raw physical memory images, when a guest is paused or snapshotted.) Libvirt also has the virDomainMemoryPeek API; right now, it is not exposed by virsh, but we could add a command-line-interface for it if that proves useful. Does that API fit your needs any better than converting a qemu dump image back into raw memory? -- Eric Blake eblake@xxxxxxxxxx +1-801-349-2682 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list