2013/10/4 <chris-2012@arcor.de>

Hi Guanglin,

thank you for your reply! I'm absolutely newbie, so my questions are probably a bit tedious.

> > Libvmi seems a bit complicated to install, at least compared to the
> > vboxmanage debugvm command. Is libvmi required for KVM or is it possible
> to
> > use virsh dump?
> >

> You should use LibVMI just for "online live" forensics over a virtual
> machine.
>
> If you merely need an offline memory dump of a KVM virtual machine, feel
> free to use virsh dump without LibVMI.

I'm not sure, if I understand the difference. When I run the victim in a VM, I can hit virsh dump in another host terminal window and get a snapshot of the VM at this point in time? When I tried this a little while ago with an Windows 7 x64 SP0 image, it didn't work. So I thought this method is not suitable... The image format respective profile was recognized with imageinfo correctly. The host is CentOS 6.4.

I'm not sure whether your current libvirt version supports kvm dump well.

However, there is another method. If you LibVirt supports QMP command, try :

virsh qemu-monitor-command [your vm name]'{ "execute": "pmemsave", "arguments": { "val": 0, "size": [the memory size of the vm, in KB], "filename": "[/path/of/the/dump]" } }'

With libvmi I would get continuous updates?

The feature I refereed to, however, is still under development.

Guanglin

Chris