How to dump volatile memory of a Linux machine?

Priceless data in case of attack!


Properly make a copy of RAM of a Linux machine can be basic for forensic analysis against a cyberattack: as for the data to disk, even those in the memory may contain valuable information, and can be saved using tools already in the operating system.

Linux provides two virtual devices for this purpose, /dev/mem (linked to the physical system memory) and /dev/kmem (maps to the entire virtual memory space, including the swap) but in many distributions are disabled for security reasons.

On recent Linux systems, /dev/mem provides access only to a restricted range of addresses, rather than the full physical memory of a system. On other systems it may not be available at all. Throughout the 2.6 series of the Linux kernel, the trend was to reduce direct access to memory via pseudo-device files.

On Red Hat systems (and derived distros such as CentOS), the /dev/crash pseudo-device can be loaded with the command

modprobe crash

and used to access the memory.

On other distributions with 2.6 kernels can be used the fmem module that creates device /dev/fmem, similar to /dev/mem but without limitations.

When enabled the pseudo-device, the memory dump can be performed with the command (es.):

sudo dd if=/dev/fmem of=/tmp/memory.raw bs=1MB

Next, the dump can be analyzed using Volatility.

Comments