On Mon, May 9, 2016 at 1:11 PM, Thomas Hungenberg <[email protected]> wrote: > On 04.05.2016 19:11, Torres, Geoff (Cyber Security) wrote: >> Hmmm... What does 'lqs2mem -l <snapshot_memfile>' show? > > $ lqs2mem -l snapshot.img > Invalid QEMU-savevm magic > Unrecogized file format
It looks like QEMU's file format changed somehow. I need to fix lqs2mem: https://github.com/juergh/lqs2mem/issues/3 ...Juerg > $ file snapshot.img > snapshot.img: QEMU suspend to disk image > > >> When I run the lqs2mem tool, I don't get an ELF image (i.e. 'file >> <raw_image>' returns 'data'). But the image runs through volatility just >> fine. > > I got the ELF file from running "dump-guest-memory" on the QEMU console after > loading the snapshot. > > > - Thomas > > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users -- Juerg Haefliger Hewlett Packard Enterprise _______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
