Hi Guanglin,
thank you for your reply! I'm absolutely newbie, so my questions are probably a bit
tedious.
Libvmi seems a
bit complicated to install, at least compared to the
vboxmanage debugvm command. Is libvmi required for KVM or is it possible
to
use virsh dump?
You should use LibVMI just for "online live" forensics over a virtual
machine.
If you merely need an offline memory dump of a KVM virtual machine, feel
free to use virsh dump without LibVMI.
I'm not sure, if I understand the difference. When I run the victim in a VM, I can hit
virsh dump in another host terminal window and get a snapshot of the VM at this point in
time? When I tried this a little while ago with an Windows 7 x64 SP0 image, it didn't
work. So I thought this method is not suitable... The image format respective profile was
recognized with imageinfo correctly. The host is CentOS 6.4.
With libvmi I would get continuous updates?
Chris