converting save/dump output into physical memory image

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



A lot of people in the security community, myself included, are
interested in memory forensics these days.  Virtualization is a natural
fit with memory forensics because it allows one to get access to a
guest's memory without having to introduce any extra software into the
guest or otherwise interfere with it.  Incident responders are
particularly interested in getting memory dumps from systems they're
investigating.

Virsh has "save" and "dump" commands for storing the state of a guest to
a file on disk, but memory of KVM guests doesn't get saved in the
"standard" input format for memory forensics tools, which is a raw
physical memory image.  (This is what you'd get via the classical "dd
/dev/mem" approach or the contemporary equivalent using the crash
driver; and VMware Server and Workstation produce .vmem files, which are
such raw physical memory images, when a guest is paused or snapshotted.)

In order to analyze the memory of Libvirt/KVM guests with my Linux
memory forensics software, Second Look, I've created a tool for
converting Libvirt-QEMU-save files (output of virsh save command) or
QEMU-savevm files (output of virsh dump command) to raw physical memory
images.

I've got a basic working capability, though I'm still tracking down some
problems with a guest allocated 8GB RAM--not all the memory seems to be
present in the save or dump file.  And I haven't tested very extensively
yet, version support is limited to what I myself am currently running, etc.

I'd like to know if this is a capability that others are interested in.
 Is this something that would be of interest to the Libvirt project if I
were to contribute the code, or to the KVM project, or do you think it
best exists as a separate project?

I've also got a proof-of-concept tool for converting hibernate images to
raw physical memory images.  Perhaps a collection of tools for
converting various memory dump formats would be a good project.  Anyone
else interested in this kind of stuff?  As an author of commercial
memory forensics software I've got a vested interest in availability of
good memory acquisition capabilities.  But there are a number of people
working on FOSS Linux memory analysis tools, too...

Andrew

Attachment: signature.asc
Description: OpenPGP digital signature


[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux