Re: converting save/dump output into physical memory image

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, May 05, 2011 at 01:56:10PM -0400, Andrew Tappert wrote:
> 
> A lot of people in the security community, myself included, are
> interested in memory forensics these days.  Virtualization is a natural
> fit with memory forensics because it allows one to get access to a
> guest's memory without having to introduce any extra software into the
> guest or otherwise interfere with it.  Incident responders are
> particularly interested in getting memory dumps from systems they're
> investigating.
> 
> Virsh has "save" and "dump" commands for storing the state of a guest to
> a file on disk, but memory of KVM guests doesn't get saved in the
> "standard" input format for memory forensics tools, which is a raw
> physical memory image.  (This is what you'd get via the classical "dd
> /dev/mem" approach or the contemporary equivalent using the crash
> driver; and VMware Server and Workstation produce .vmem files, which are
> such raw physical memory images, when a guest is paused or snapshotted.)
> 
> In order to analyze the memory of Libvirt/KVM guests with my Linux
> memory forensics software, Second Look, I've created a tool for
> converting Libvirt-QEMU-save files (output of virsh save command) or
> QEMU-savevm files (output of virsh dump command) to raw physical memory
> images.
> 
> I've got a basic working capability, though I'm still tracking down some
> problems with a guest allocated 8GB RAM--not all the memory seems to be
> present in the save or dump file.  And I haven't tested very extensively
> yet, version support is limited to what I myself am currently running, etc.

KVM only allocates memory on demand, when the guest touches the page,
so the data will almost certainly be sparse.

FWIW, the 'crash' tool has been taught how to understand the output
of 'virsh dump' for Linux guests. I agree, it could be nice to have
a raw memory dump though, instead of the KVM save format, at least
as an option.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux