Sometimes it may be necessary to forensically investigate a Qubes OS VM. This guide describes how this can be accomplished. It is intended for advanced users.
For forensics of Qubes OS
dom0 please refer to any standard Linux forensics guide.
You can mount disks of all VMs to another investigation VM in both r/w and r/o fashion and use your favorite forensic analysis tools.
The following guide uses volatility3 for memory forensics on a previously created memory dump. Other tools may work as well.
The VM under analysis is called
vm. The VM where the memory dump is analyzed is called
Since Qubes OS currently does not provide kernel debug symbols for its default kernels, you will have to switch to VM template kernels at least for the VM under analysis and the analysis VM. Without this step, the analysis tool (here volatility3) will be unable to interpret the memory dump.
Please follow the official guide on how to use a kernel installed inside a VM. The required package for
pvh VMs is called
You can later unpause it via
qvm-unpause vm. Skipping this step may cause memory smear and render the memory dump useless.
virsh -c xen:// dump vm vm.dump --live sudo chown [user]:[user] vm.dump
qvm-clone --class StandaloneVM debian-11 analysis-vm qvm-prefs analysis-vm label red qvm-prefs analysis-vm netvm sys-firewall qubes-vm-settings analysis-vm (make sure you have at least 7 GB free system storage and enough private storage to fit your memory dump) qvm-copy-to-vm analysis-vm vm.dump
(analysis-vm) Install volatility3
Follow the install instructions inside the
As of 2023 the volatility3 support for Xen memory dumps is limited. Your mileage may vary.
sudo su echo '#!/bin/bash'$'\n''python3 "[path to vol.py]/vol.py" "$@"' > /usr/bin/volatility chmod +x /usr/bin/volatility exit
(analysis-vm) Build and install dwarf2json
You may have to install golang first (debian:
sudo apt install golang).
cd ~ git clone 'https://github.com/volatilityfoundation/dwarf2json' cd dwarf2json go build
(analysis-vm) Generate the symbol tables for volatility3
On debian use
sudo apt install linux-image-amd64-dbg to install the version matching the kernel version of the VM under analysis.
Afterwards generate the symbol table lookups for volatility3 via
./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-[kernel version]-amd64 --system-map /usr/lib/debug/boot/System.map-[kernel version]-amd64 > [volatility path]/volatility3/symbols/[kernel version]-amd64.json
cd ~ mv ~/QubesIncoming/dom0/vm.dump ~ volatility isfinfo (should show the symbol file) volatility -f vm.dump banner volatility -f vm.dump linux.pslist