On Tue, Mar 14, 2017 at 02:13:46PM +0100, Pascal wrote: > how could I (easily) follow file modifications made by guest os (Windows) > with qemu ? > could I exploit the growing overlay image based on an original Windows > image ?
Not easily because Windows has a file system (e.g. NTFS) on top of the block device that QEMU emulates. You would need to parse the file system metadata in order to do the Logical Block Address (LBA) -> file lookup. In other words, the disk emulation just sees sector reads/writes to an LBA. It does not see open(), read(), rename(), or other file system operations. A less invasive way is to use the CIFS (Samba) network file system and instrument the file server. That way you see higher-level operations and just block I/O. You could even just use tcpdump and analyze the traffic offline or interactively using Wireshark. Stefan
signature.asc
Description: PGP signature
