A lot of people in the security community, myself included, are interested in memory forensics these days. Virtualization is a natural fit with memory forensics because it allows one to get access to a guest's memory without having to introduce any extra software into the guest or otherwise interfere with it. Incident responders are particularly interested in getting memory dumps from systems they're investigating. Virsh has "save" and "dump" commands for storing the state of a guest to a file on disk, but memory of KVM guests doesn't get saved in the "standard" input format for memory forensics tools, which is a raw physical memory image. (This is what you'd get via the classical "dd /dev/mem" approach or the contemporary equivalent using the crash driver; and VMware Server and Workstation produce .vmem files, which are such raw physical memory images, when a guest is paused or snapshotted.) In order to analyze the memory of Libvirt/KVM guests with my Linux memory forensics software, Second Look, I've created a tool for converting Libvirt-QEMU-save files (output of virsh save command) or QEMU-savevm files (output of virsh dump command) to raw physical memory images. I've got a basic working capability, though I'm still tracking down some problems with a guest allocated 8GB RAM--not all the memory seems to be present in the save or dump file. And I haven't tested very extensively yet, version support is limited to what I myself am currently running, etc. I'd like to know if this is a capability that others are interested in. Is this something that would be of interest to the Libvirt project if I were to contribute the code, or to the KVM project, or do you think it best exists as a separate project? I've also got a proof-of-concept tool for converting hibernate images to raw physical memory images. Perhaps a collection of tools for converting various memory dump formats would be a good project. Anyone else interested in this kind of stuff? As an author of commercial memory forensics software I've got a vested interest in availability of good memory acquisition capabilities. But there are a number of people working on FOSS Linux memory analysis tools, too... Andrew
Attachment:
signature.asc
Description: OpenPGP digital signature