12:32 p.m.
Hi everyone,
I've got a snapshot from a Red Hat VM that I'd like to analyze. I've noticed
that imagecopy is in the Windows section of the documentation. Is imagecopy supported for
Linux snapshots?
Thanks,
Kasia Olejnik
10:01 a.m.
Kasia,
Technically, imageinfo should work for Linux, but you're right - its currently not
configured to do so. You'd need to patch it like this:
Index: volatility/plugins/imagecopy.py
===================================================================
--- volatility/plugins/imagecopy.py (revision 3583)
+++ volatility/plugins/imagecopy.py (working copy)
@@ -22,9 +22,9 @@
import os
import volatility.debug as debug
import volatility.utils as utils
-import volatility.plugins.common as common
+import volatility.commands as commands
-class ImageCopy(common.AbstractWindowsCommand):
+class ImageCopy(commands.Command):
"""Copies a physical address space out as a raw DD
image"""
def __init__(self, *args, **kwargs):
However, our VMware address spaces should let you analyze Linux VM snapshot/saved state
files without covering to a raw memory dump first.
Hope this helps,
--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com
On Feb 3, 2014, at 11:32 AM, Katarzyna Olejnik <kolejnik(a)umass.edu> wrote:
Hi everyone,
I've got a snapshot from a Red Hat VM that I'd like to analyze. I've noticed
that imagecopy is in the Windows section of the documentation. Is imagecopy supported for
Linux snapshots?
Thanks,
Kasia Olejnik
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
3936
days inactive
3937
days old
vol-users@lists.volatilityfoundation.org
1 comments
2 participants
participants (2)
-
Katarzyna Olejnik -
Michael Ligh