hi @Insurgo ,
thanks a lot for your explanations,
now i understand those terms better:
- snapshot, backup, pool, lvm, device, logical volume,
- volume (kernel, private, root, volatile),
- qvm-volume revert & qvm-backup-restore.
i think those explanations will be useful for other users too.
i see, you’ve made a lot of contributions to the forum.
anyway, i have tried to create dom0 snapshot, by using:
/usr/sbin/lvcreate --noudevsync --ignoremonitoring -An -pr -s qubes_dom0/root -n root-autosnap
and the creation was success, but i couldn’t find the snapshot inside qubes_dom0.
may tell me, how to find the created snapshot ?
so we can copy to other VM for forensic.
yes, after reading it, i figure out, the thread is also about snapshot creation.
also about using snapshot to revert dom0 state.
so, maybe i will change the title for this thread to:
comparing dom0 snapshots to find suspicious malware / compromise,
so to contribute different things.
i guess if we compare 2 dom0 snapshots,
for sure it will have different volume size,
but i think, it is not enough to indicate malware / compromise,
do you have any tips / idea ?
how to compare the snapshots to find out compromise,
maybe i need to focus on specific part in the snapshot ?