DUMPING RAM

What is the perfect way to capture a running system? Get a copy of what is in RAM. This allows you to exactly recreate the state of a machine. Okay, not exactly, but close enough for our investigative purposes. Some recently released tools such a Volatility make acquiring RAM images particularly useful. Getting these images today isn’t necessarily easy, however.

Many years ago when computers had a gigabyte or less of RAM it was very easy to acquire a memory image in Linux. Part of the reason for this is that the Linux “everything is a file” philosophy also applied to RAM. The device /dev/mem represented all of the physical RAM. This device still exists today, but it is only capable of accessing the first 896 MB of physical RAM.

Virtual memory (physical RAM plus memory swapped to disk) was accessible via the /dev/kmem device. It didn’t take very long for the worldwide Linux community to figure out that having a userland (non-kernel or privileged mode) device that could access all memory was a huge security hole. Today /dev/kmem has been removed. Alternative means of capturing memory images are now required.