[Vol-users] KVM and Memory Dump

Guanglin Xu mzguanglin at gmail.com
Fri Oct 4 07:36:12 CDT 2013


2013/10/4 <chris-2012 at arcor.de>

> Hi Guanglin,
>
> thank you for your reply! I'm absolutely newbie, so my questions are
> probably a bit tedious.
>
> > > Libvmi seems a bit complicated to install, at least compared to the
> > > vboxmanage debugvm command. Is libvmi required for KVM or is it
> possible
> > to
> > > use virsh dump?
> > >
> > You should use LibVMI just for "online live" forensics over a virtual
> > machine.
> >
> > If you merely need an offline memory dump of a KVM virtual machine, feel
> > free to use virsh dump without LibVMI.
>
> I'm not sure, if I understand the difference. When I run the victim in a
> VM, I can hit virsh dump in another host terminal window and get a snapshot
> of the VM at this point in time? When I tried this a little while ago with
> an Windows 7 x64 SP0 image, it didn't work. So I thought this method is not
> suitable... The image format respective profile was recognized with
> imageinfo correctly. The host is CentOS 6.4.
>

I'm not sure whether your current libvirt version supports kvm dump well.

However, there is another method. If you LibVirt supports QMP command, try :
virsh qemu-monitor-command [your vm name]'{ "execute": "pmemsave",
"arguments": { "val": 0, "size": [the memory size of the vm, in KB],
"filename": "[/path/of/the/dump]" } }'


>
> With libvmi I would get continuous updates?
>

The feature I refereed to, however, is still under development.

Guanglin


>
> Chris
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20131004/ff94c6c9/attachment.html


More information about the Vol-users mailing list