Re: [Vol-users] Analyzing memory from a QEMU snapshot
Juerg Haefliger
9 May
2016
9 May
'16
2:44 p.m.
On Mon, May 9, 2016 at 1:11 PM, Thomas Hungenberg <th(a)cert-bund.de> wrote:
On 04.05.2016 19:11, Torres, Geoff (Cyber Security)
wrote:
It looks like QEMU's file format changed somehow. I need to fix
lqs2mem: https://github.com/juergh/lqs2mem/issues/3
...Juerg
Hmmm... What does 'lqs2mem -l
<snapshot_memfile>' show?
$ lqs2mem -l snapshot.img
Invalid QEMU-savevm magic
Unrecogized file format $ file snapshot.img
snapshot.img: QEMU suspend to disk image
--
Juerg Haefliger
Hewlett Packard Enterprise
When I run the lqs2mem tool, I don't get an
ELF image (i.e. 'file <raw_image>' returns 'data'). But the image
runs through volatility just fine.
I got the ELF file from running "dump-guest-memory" on the QEMU console after
loading the snapshot.
- Thomas
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users