
On 05/05/2011 11:56 AM, Andrew Tappert wrote:
A lot of people in the security community, myself included, are interested in memory forensics these days. Virtualization is a natural fit with memory forensics because it allows one to get access to a guest's memory without having to introduce any extra software into the guest or otherwise interfere with it. Incident responders are particularly interested in getting memory dumps from systems they're investigating.
Virsh has "save" and "dump" commands for storing the state of a guest to a file on disk, but memory of KVM guests doesn't get saved in the "standard" input format for memory forensics tools, which is a raw physical memory image. (This is what you'd get via the classical "dd /dev/mem" approach or the contemporary equivalent using the crash driver; and VMware Server and Workstation produce .vmem files, which are such raw physical memory images, when a guest is paused or snapshotted.)
Libvirt also has the virDomainMemoryPeek API; right now, it is not exposed by virsh, but we could add a command-line-interface for it if that proves useful. Does that API fit your needs any better than converting a qemu dump image back into raw memory? -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org