Aw: Re: [Vol-users] KVM and Memory Dump

chris-2012 at arcor.de chris-2012 at arcor.de
Fri Oct 4 02:50:06 CDT 2013


Hi Guanglin, 

thank you for your reply! I'm absolutely newbie, so my questions are probably a bit tedious.

> > Libvmi seems a bit complicated to install, at least compared to the
> > vboxmanage debugvm command. Is libvmi required for KVM or is it possible
> to
> > use virsh dump?
> >
> You should use LibVMI just for "online live" forensics over a virtual
> machine.
> 
> If you merely need an offline memory dump of a KVM virtual machine, feel
> free to use virsh dump without LibVMI.

I'm not sure, if I understand the difference. When I run the victim in a VM, I can hit virsh dump in another host terminal window and get a snapshot of the VM at this point in time? When I tried this a little while ago with an Windows 7 x64 SP0 image, it didn't work. So I thought this method is not suitable... The image format respective profile was recognized with imageinfo correctly. The host is CentOS 6.4.

With libvmi I would get continuous updates?

Chris


More information about the Vol-users mailing list