On 04.05.2016 17:46, Torres, Geoff (Cyber Security) wrote:
> When you say " Running lqs2mem on the original suspend to disk image does not
> work", do you mean that you're getting an error? Or that it's creating an
> image that doesn't work in volatility?
>
> I've ran lqs2mem literally on hundreds of QEMU images with no problems.
>
> Can you post the output of your run?
>
> If I recall correctly, Juerg had to pad a certain section of memory in order
> to get the structures to line up. It's possible that later versions of
> QEMU/KVM changed so that padding isn't necessary any more.
Running lqs2mem on the original image returns "Invalid section type: 7"
- Thomas
_______________________________________________
Vol-users mailing list
[email protected]
http://lists.volatilesystems.com/mailman/listinfo/vol-users
