c9d6 How to dump memory (/dev/mem)? - The FreeBSD Forums
The FreeBSD Forums  

Go Back   The FreeBSD Forums > Base System > General
Reload this Page How to dump memory (/dev/mem)?
Register FAQ Calendar Search Today's Posts Mark Forums Read

General General questions about the FreeBSD operating system. Ask here if your question does not fit elsewhere.

Reply
 
Thread Tools Display Modes
  #1  
Old December 28th, 2008, 02:27
honk honk is offline
Member
  
Join Date: Dec 2008
Posts: 134
Thanks: 6
Thanked 13 Times in 13 Posts
Default How to dump memory (/dev/mem)?
Hi,

can someone tell me why memdump (from /usr/ports/sysutils) produces 4GByte files on a system with 2GB RAM (physically, no swap configured). Also what's the difference between "dd if=/dev/mem..." /dev/kmem and memdump?

# dmesg | grep memor
real memory = 2104164352 (2006 MB)
avail memory = 2053550080 (1958 MB)

I want to read memory content for forensic purposes. Useful informations on this topic appreciated. Thanks a lot in advance.

hnk
Reply With Quote
  #2  
Old December 28th, 2008, 11:46
graudeejs's Avatar
graudeejs graudeejs is offline
Style(9) Addict
  
Join Date: Nov 2008
Location: Riga, Latvia
Posts: 4,525
Thanks: 422
Thanked 607 Times in 475 Posts
Default
a stupid way to do it could be cat

But why do you want that?
Are you seriously going to analyze 2G binary file full or crap?
Reply With Quote
  #3  
Old December 28th, 2008, 11:50
kamikaze's Avatar
kamikaze kamikaze is offline
Member
  
Join Date: Nov 2008
Location: /earth/europe/germany
Posts: 366
Thanks: 6
Thanked 66 Times in 45 Posts
Default
I suppose that tool tries to safe the whole available memory space.
__________________
sysutils/bsdadminscripts: binary package maintenance, library integrity checking, ...
sysutils/automounter: amd(8) based automounting without HAL
contact: kamikaze@bsdforen.de

Disclaimer: My posts represent my perception. Errors and incompleteness are to be expected, I deny any responsibility to know everything.
Reply With Quote
  #4  
Old December 31st, 2008, 17:43
honk honk is offline
Member
  
Join Date: Dec 2008
Posts: 134
Thanks: 6
Thanked 13 Times in 13 Posts
Default
The reason for me to look at /dev/mem (or /dev/kmem, don't understand the difference currently) is this:

http://events.ccc.de/congress/2008/F...s/2922.en.html

I'm using GELI for full disk encryption and I tought, that finding the passphrase in memory isn't that easy:

user@fbsd:/data# memdump > mem.dump
memdump: Stopped on OFFT_TYPE wraparound after 0xfffff000

user@fbsd:/data# strings mem.dump | grep passphrase
Dec 31 00:33:29 prod kernel: Enter passphrase for ad4: verysecretpassphrase

I'm not really happy with that. Is there a reason to find such messages (like "attention here comes the password") in memory?

Now I'm interested in other things which can be found in the memory. Maybe there are some other peoples here with knowledge in forensics.

cheers,
Honk
Reply With Quote
  #5  
Old December 31st, 2008, 17:50
graudeejs's Avatar
graudeejs graudeejs is offline
Style(9) Addict
  
Join Date: Nov 2008
Location: Riga, Latvia
Posts: 4,525
Thanks: 422
Thanked 607 Times in 475 Posts
Default
Hackers Disassembling Uncovered by Kriss Kasperky
http://softpro.stores.yahoo.net/1-931769-64-8.html

also
http://www.usenix.org/publications/l...apers/gutmann/

they bough ain't directly related, but gives some interesting ideas about what you're interested (i think)

anyway posting them wont hurt
Reply With Quote
  #6  
Old January 1st, 2009, 23:20
Djn Djn is offline
Member
  
Join Date: Nov 2008
Location: Horten, Norway
Posts: 392
Thanks: 3
Thanked 62 Times in 53 Posts
Default
Of course, if someone has read access to all your memory, they can probably read any mounted volumes as well ...
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
gnome-system-monitor and memory mdg583 GNOME 7 December 8th, 2008 20:55
FreeBSD 7.0-RELEASE-p4 && xorg-7.3_2 huge memory leak TheFeaR X.Org 17 November 27th, 2008 10:54
Olympus FE-115 (xD memory card) & FreeBSD 7.0 Daemony Peripheral Hardware 7 November 19th, 2008 15:49


All times are GMT +1. The time now is 02:51.

Contact Us - FreeBSD - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.
The mark FreeBSD is a registered trademark of The FreeBSD Foundation and is used by The FreeBSD Project with the permission of The FreeBSD Foundation.
Web protection and acceleration provided by CloudFlare
0