Home / ubuntu / Questions / 147978
Accepted
nanofarad
Asked: 2012-06-08 14:47:22 +0800 CST

How can I dump all physical memory to a file?

  • 772

I am using Ubuntu 11.10, and wish to simply know whether I can dump all physical memory and swap, as due to some kernel restrictions, I can't dd /dev/mem, even as superuser.

Is there any workaround or option to allow dd'ing /dev/mem or a dedicated tool made to do this correctly?

kernel

2 Answers

  1. Best Answer

    Use fmem

    You used to be able to simply dd /dev/mem back in the day, but no longer for security reasons (since kernel 2.6, IIRC).

    The alternative is to either build the kernel yourself wih the option to let root do that (will edit with name later, on phone now) OR better, use fmem, a kernel module which creates a /dev/fmem device pretty much meant for easy dumping.

    fmem works great for me on 12.04. Just make sure you use the run.sh file included in the tarball to load the module; do not use insmod:

    $ ./run.sh
...
----Memory areas: -----
reg00: base=0x000000000 (    0MB), size= 1024MB, count=1: write-back
reg01: base=0x0c8800000 ( 3208MB), size=    2MB, count=1: write-combining
-----------------------
!!! Don't forget add "count=" to dd !!!


$ ls /dev/f*
/dev/fb0  /dev/fd0  /dev/fmem  /dev/full  /dev/fuse


$ sudo dd if=/dev/fmem of=/tmp/fmem_dump.dd bs=1MB count=10
10+0 records in
10+0 records out
10000000 bytes (10 MB) copied, 0.0331212 s, 302 MB/s
    • 7

  2. You probably can't dd your memory in modern kernels 'cause they've been reducing direct access, which is mostly used for dodgy things. The forensics wiki links a few tools that might be of interest, but there's nothing that's really been updated in the past few years. LiME seems updated though I haven't tested it yet.

    • 2