1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to dump memory (/dev/mem)?

Discussion in 'General' started by honk, Dec 28, 2008.

  1. honk

    honk New Member

    Messages:
    134
    Thanks Received:
    13
    Hi,

    can someone tell me why memdump (from /usr/ports/sysutils) produces 4GByte files on a system with 2GB RAM (physically, no swap configured). Also what's the difference between "dd if=/dev/mem..." /dev/kmem and memdump?

    # dmesg | grep memor
    real memory = 2104164352 (2006 MB)
    avail memory = 2053550080 (1958 MB)

    I want to read memory content for forensic purposes. Useful informations on this topic appreciated. Thanks a lot in advance.

    hnk
     
  2. graudeejs

    graudeejs Well-Known Member

    Messages:
    4,594
    Thanks Received:
    632
    a stupid way to do it could be cat

    But why do you want that?
    Are you seriously going to analyze 2G binary file full or crap?
     
  3. kamikaze

    kamikaze New Member

    Messages:
    366
    Thanks Received:
    65
    I suppose that tool tries to safe the whole available memory space.
     
  4. honk

    honk New Member

    Messages:
    134
    Thanks Received:
    13
    The reason for me to look at /dev/mem (or /dev/kmem, don't understand the difference currently) is this:

    http://events.ccc.de/congress/2008/Fahrplan/events/2922.en.html

    I'm using GELI for full disk encryption and I tought, that finding the passphrase in memory isn't that easy:

    user@fbsd:/data# memdump > mem.dump
    memdump: Stopped on OFFT_TYPE wraparound after 0xfffff000

    user@fbsd:/data# strings mem.dump | grep passphrase
    Dec 31 00:33:29 prod kernel: Enter passphrase for ad4: verysecretpassphrase


    I'm not really happy with that. Is there a reason to find such messages (like "attention here comes the password") in memory?

    Now I'm interested in other things which can be found in the memory. Maybe there are some other peoples here with knowledge in forensics.

    cheers,
    Honk
     
  5. graudeejs

    graudeejs Well-Known Member

    Messages:
    4,594
    Thanks Received:
    632
  6. Djn

    Djn New Member

    Messages:
    392
    Thanks Received:
    62
    Of course, if someone has read access to all your memory, they can probably read any mounted volumes as well ...