Microsoft Corporation
VOLATILE MEMORY ACQUISITION

Abstract:

Aspects of the present disclosure relate to volatile memory acquisition using live migration of an execution environment. In examples, a virtualization manager controls execution of an execution environment at a virtualization host. The virtualization manager may enable live migration of the execution environment, such that the execution environment may be migrated to another virtualization host (or "migration target") for continued execution. Accordingly, such functionality may be used to capture a memory image at a migration target, after which the execution environment continues executing at the original virtualization host. The memory image may be analyzed to identify the presence of malware and/or to generate a list of processes that were executing at the time of the capture. Such aspects may enable capturing a substantially accurate and consistent memory image of the volatile memory of the execution environment without indicating, inadvertently or otherwise, that a capture is occurring to processes executing therein.