Re: [Vol-users] Analyzing memory from a QEMU snapshot
9 May
2016
9 May
'16
7:11 a.m.
On 04.05.2016 19:11, Torres, Geoff (Cyber Security) wrote:
Hmmm... What does 'lqs2mem -l
<snapshot_memfile>' show?
$ lqs2mem -l snapshot.img
Invalid QEMU-savevm magic
Unrecogized file format
$ file snapshot.img
snapshot.img: QEMU suspend to disk image
When I run the lqs2mem tool, I don't get an ELF
image (i.e. 'file <raw_image>' returns 'data'). But the image runs
through volatility just fine.
I got the ELF file from running "dump-guest-memory" on the QEMU console after
loading the snapshot.
- Thomas