How to dump memory (/dev/mem)?

honk

Active Member

Reaction score: 18
Messages: 144

Hi,

can someone tell me why memdump (from /usr/ports/sysutils) produces 4GByte files on a system with 2GB RAM (physically, no swap configured). Also what's the difference between "dd if=/dev/mem..." /dev/kmem and memdump?

# dmesg | grep memor
real memory = 2104164352 (2006 MB)
avail memory = 2053550080 (1958 MB)

I want to read memory content for forensic purposes. Useful informations on this topic appreciated. Thanks a lot in advance.

hnk
 

graudeejs

Son of Beastie

Reaction score: 692
Messages: 4,615

a stupid way to do it could be cat

But why do you want that?
Are you seriously going to analyze 2G binary file full or crap?
 

kamikaze

Well-Known Member

Reaction score: 73
Messages: 365

I suppose that tool tries to safe the whole available memory space.
 
OP
OP
H

honk

Active Member

Reaction score: 18
Messages: 144

The reason for me to look at /dev/mem (or /dev/kmem, don't understand the difference currently) is this:

http://events.ccc.de/congress/2008/Fahrplan/events/2922.en.html

I'm using GELI for full disk encryption and I tought, that finding the passphrase in memory isn't that easy:

user@fbsd:/data# memdump > mem.dump
memdump: Stopped on OFFT_TYPE wraparound after 0xfffff000

user@fbsd:/data# strings mem.dump | grep passphrase
Dec 31 00:33:29 prod kernel: Enter passphrase for ad4: verysecretpassphrase


I'm not really happy with that. Is there a reason to find such messages (like "attention here comes the password") in memory?

Now I'm interested in other things which can be found in the memory. Maybe there are some other peoples here with knowledge in forensics.

cheers,
Honk
 

Djn

Well-Known Member

Reaction score: 67
Messages: 392

Of course, if someone has read access to all your memory, they can probably read any mounted volumes as well ...
 
Top