Skip to content

Instantly share code, notes, and snippets.

@adulau

adulau/DumpLinuxMemory.md

Created March 5, 2013 22:03
Show Gist options
  • Star 20 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
  • Save adulau/5094750 to your computer and use it in GitHub Desktop.
Save adulau/5094750 to your computer and use it in GitHub Desktop.
Download ZIP
Acquiring memory from a running Linux system (notes)
Raw
DumpLinuxMemory.md

How to acquire memory from a running Linux system

Dumping memory on Linux system can be cumbersome especially that the behavior might be different among different GNU/Linux distribution or Linux kernel version. In the early days, the easiest was to dump the memory from the memory device (/dev/mem) but over time the access was more and more restricted in order to avoid malicious process to directly access the kernel memory directly. The kernel option CONFIG_STRICT_DEVMEM was introduced in kernel version 2.6 and upper (2.6.36–2.6.39, 3.0–3.8, 3.8+HEAD). So you'll need to use a Linux kernel module in order to acquire memory.

fmem

fmem (http://hysteria.sk/~niekt0/fmem/fmem_current.tgz) is a kernel module to create a new device called /dev/fmem to allow direct access to the whole memory. So you'll need to compile the module on the machine where you are planning to acquire the memory or compiling it on similar kernel version. In case of forensic analysis, you usually don't want to modifiy too much the state of the operating system, so it's highly recommended so prepare your fmem kernel modules in advance.

fmem usage

When you have compiled the fmem kernel module, you'll need to load into the system. The easiest is to use the "run.sh" script included in the distribution to load the kernel module with the right parameter (calculated from the "page_is_ram" value available in /proc/kallsyms).

When the kernel module is loaded, you have a new device called /dev/fmem. This is a standard device but additional properties like it's not a standard file with a start and an end. So you have to specify when you want to stop reading from the memory. The best is calculate the memory available on the system and only the specified size. If not reading /dev/fmem will never end. If you need to acquire the memory of a Linux system with 1GB of memory, you can use dd or dcfldd (https://github.com/adulau/dcfldd):

dcfldd if=/dev/fmem of=memory.dump hash=sha256 sha256log=memory.dump.sha256 bs=1MB count=1000

lime

Lime (http://code.google.com/p/lime-forensics/) is an alternative solution to acquire memory from Linux. Lime supports more recent version of Linux Kernel. As the technique to expose and acquire memory is less intrusive, the forensic acquisition might be more accurate.

insmod lime-2.6.36-gentoo-r5.ko "path="memory.dump" format=raw"

Lime is supporting various output format like raw or lime.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment