# How to dump memory (/dev/mem)?



## honk (Dec 28, 2008)

Hi,

can someone tell me why memdump (from /usr/ports/sysutils) produces 4GByte files on a system with 2GB RAM (physically, no swap configured). Also what's the difference between "dd if=/dev/mem..." /dev/kmem and memdump?

# dmesg | grep memor
real memory  = 2104164352 (2006 MB)
avail memory = 2053550080 (1958 MB)

I want to read memory content for forensic purposes. Useful informations on this topic appreciated. Thanks a lot in advance.

hnk


----------



## graudeejs (Dec 28, 2008)

a stupid way to do it could be cat

But why do you want that?
Are you seriously going to analyze 2G binary file full or crap?


----------



## kamikaze (Dec 28, 2008)

I suppose that tool tries to safe the whole available memory space.


----------



## honk (Dec 31, 2008)

The reason for me to look at /dev/mem (or /dev/kmem, don't understand the difference currently) is this:

http://events.ccc.de/congress/2008/Fahrplan/events/2922.en.html

I'm using GELI for full disk encryption and I tought, that finding the passphrase in memory isn't that easy:

_user@fbsd:/data# memdump > mem.dump
memdump: Stopped on OFFT_TYPE wraparound after 0xfffff000

user@fbsd:/data# strings mem.dump | grep passphrase
Dec 31 00:33:29 prod kernel: Enter passphrase for ad4: verysecretpassphrase_

I'm not really happy with that. Is there a reason to find such messages (like "attention here comes the password") in memory?

Now I'm interested in other things which can be found in the memory. Maybe there are some other peoples here with knowledge in forensics.

cheers,
Honk


----------



## graudeejs (Dec 31, 2008)

Hackers Disassembling Uncovered by Kriss Kasperky
http://softpro.stores.yahoo.net/1-931769-64-8.html

also
http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/

they bough ain't directly related, but gives some interesting ideas about what you're interested (i think)

anyway posting them wont hurt


----------



## Djn (Jan 1, 2009)

Of course, if someone has read access to all your memory, they can probably read any mounted volumes as well ...


----------

