Hi
I have a question?
If you dump the RAM "internal memory" with dd to an image file, you get everything in memory or Will something be missing?
tony75
10
Newbie Poster
Recommended Answers
Jump to PostThe dd application is running in memory, so it is altering it as you dump it. You might want to look into how the open source ClamWin virus scanner handles this issue when scanning memory for viruses.
Jump to PostWhatever is in the ram should be on the image afterwards unless a corruption of some kind has occured(which is not that uncommon). You seem interested in volatile memory as you've asked stuff about volatility and now ram images. I would suggest you to take a look at a book …
All 8 Replies
rubberman
1,355
Nearly a Posting Virtuoso
Featured Poster
The dd application is running in memory, so it is altering it as you dump it. You might want to look into how the open source ClamWin virus scanner handles this issue when scanning memory for viruses.
Slavi
94
Master Poster
Featured Poster
I would use RamCapturer from belkasoft or FTKImager, think it has an option ot extract ram as dd image as well
tony75
10
Newbie Poster
Thanks all.
If I change my question to
If you dump the RAM "internal memory" with any software to an image file, you get everything in memory or Will something be missing?
Maybe its more clear now
Slavi
94
Master Poster
Featured Poster
Whatever is in the ram should be on the image afterwards unless a corruption of some kind has occured(which is not that uncommon). You seem interested in volatile memory as you've asked stuff about volatility and now ram images. I would suggest you to take a look at a book called "The Art of Memory Forensics". It is by the developers of volatility, so the tool is used throughout the book. Moreover, the book covers ram images of different Windows operating systems, Linux and Mac as well. It is an incredable read and I am pretty sure if you want to get deeper in the field you would love it
cis7850
13
Newbie Poster
if Linux RAM, I dont think you can use dd to capture or image it. I think LiME may be the option if you are dealing with Linux. There are several free tools for Windows in addition to those already mentioned. Note however as RAM is volatile - the footprint of the tool you use will overwrite data in RAM. As an example, if your target is 1GB and your tool's footprint 100 MB you just overwrote 100MB of potential valuable data. Some tools have larger footprints than others. $0.02
Slavi
94
Master Poster
Featured Poster
LiME is the only decent option yh, problem with linux is that you need a profile of the exact system that you are running, and it's usually the case that you have to make that yourself(On a different machine so the RAM that you are trying to capture doesn't get changed). The process is a bit painful, especially when it comes to Kali .. But there are some already premade profiles on github open for download that include the most common distros althogh it's been awhile since it's been updated
Tech_10
0
Newbie Poster
What will be the command to dump the memory of a windows system to a certain partition with a specified name
rproffitt
2,565
"Nothing to see here."
Moderator
@Tech_10. No mystery here after years. http://nvidia.custhelp.com/app/answers/detail/a_id/4641/~/collecting-a-full-memory-dump-in-windows-10
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.