Linux provides two virtual devices for this purpose, '/dev/mem' and '/dev/kmem', though many distributions disable them by default for security reasons. '/dev/mem' is linked to the physical system memory, whereas '/dev/kmem' maps to the entire virtual memory space, including any swap. Both devices work as regular files, and can be used with dd or any other file manipulation too

  1. dd On Unix systems, the program dd can be used to capture the contents of physical memory using a device file (e.g. /dev/mem and /dev/kmem). In recent Linux kernels, /dev/kmem is no longer available. In even more recent kernels, /dev/mem has additional restrictions. And in the most recent, /dev/mem is no longer available by default, either. Throughout the 2.6 kernel series the trend has been to reduce direct access to memory via pseudo-device files. See, for example, the message accompanying this patch:http://lwn.net/Articles/267427/. On Red Hat systems (and derived distros such as CentOS), the crash driver can be loaded to create a pseudo-device for memory access ("modprobe crash").

l.

    1. Second Look This commercial memory analysis product has the ability to acquire memory from Linux systems, either locally or from a remote target via DMA or over the network. It comes with pre-compiled Physical Memory Access Driver (PMAD) modules for hundreds of kernels from the most commonly used Linux distributions.
    2. Idetect (Linux)
    3. fmem (Linux)
      fmem is kernel module, that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL. download url http://hysteria.cz/niekt0/
    4. Goldfish
      Goldfish is a Mac OS X live forensic tool for use only by law enforcement. Its main purpose is to provide an easy to use interface to dump the system RAM of a target machine via a Firewire connection. It then automatically extracts the current user login password and any open AOL Instant Messenger conversation fragments that may be available. Law Enforcement may contact goldfish.ae for download information.
      1. There is also GDB commonly available on most Linuxes.
        And, you are always advised to avoid writing over unknown memory -- it can lead to system corruption.

linux memory dump--http://www.forensicswiki.org/wiki/Tools:Memory_Imaging的更多相关文章

  1. 【转】 Linux Core Dump 介绍

    ===============================================================  Linux core dump的祥细介绍和使用 =========== ...

  2. Visual Studio 2013 新功能 Memory Dump 分析器

    本文为 Dennis Gao 原创技术文章,发表于博客园博客,未经作者本人允许禁止任何形式的转载. TechEd2013 发现新功能 12月5日和6日,在国家会议中心参加了微软的 TechEd2013 ...

  3. Memory Dump 分析器

    Visual Studio 2013 新功能 Memory Dump 分析器   TechEd2013 发现新功能 12月5日和6日,在国家会议中心参加了微软的 TechEd2013 技术大会,了解了 ...

  4. Responder Pro new version could analyze Win10 memory dump

    My friend John acquired a memory dump from Windows 10, but he could analyze this memory dump with an ...

  5. qualcomm memory dump 抓取方法

    Memory dump是系统出现crash时常用的分析故障原因的方法,qualcomm 各子系统运行时,为方便debug,都会开辟ram log和debug variable用于保存各系统运行信息及健 ...

  6. How do I find what queries were executing in a SQL memory dump?-----stack

     https://blogs.msdn.microsoft.com/askjay/2010/10/03/how-do-i-find-what-queries-were-executing-in-a-s ...

  7. Linux core dump file详解

    Linux core dump file详解 http://www.cnblogs.com/langqi250/archive/2013/03/05/2944931.html

  8. 利用 Memory Dump Diagnostic for Java (MDD4J) 分析内存管理问题

    利用 Memory Dump Diagnostic for Java (MDD4J) 分析内存管理问题(2) 启动和理解 MDD4J[size=1.0625]为了充分理解如何使用 MDD4J,您需要了 ...

  9. Linux(CentOS 7)命令行模式安装VMware Tools 详解

    本篇文章主要介绍了如何在Linux(CentOS 7)命令行模式安装VMware Tools,具有一定的参考价值,感兴趣的小伙伴们可以参考一下. 本例中为在Linux(以CentOS 7为例)安装VM ...

随机推荐

  1. Linux基础回想(1)——Linux系统概述

    1. 什么是操作系统?它与硬件以及其它软件之间的关系是如何的? 操作系统是控制和管理计算机系统内各种硬件和软件资源.有效组织多道程序执行的系统软件(或程序集合),是用户和计算机之间的接口.详细的说: ...

  2. 关于quartus ii软件中注释乱码问题的解决方法

    乱码现象: 解决办法: 打开文件所在工程找到该verilog文件(后缀名是.v),使用记事本打开,这时你会看到注释好好的没乱码,很高兴是不,不用着急.接下来点击文件再另存为,选择编码:UTF-8,点保 ...

  3. js计算两个时间相差天数

     //两个时间相差天数 兼容firefox chrome    function datedifference(sDate1, sDate2) {    //sDate1和sDate2是2006-12 ...

  4. Stream(流)的基本操作

    //把流转化为文件  public static void StreamToFile(Stream stream, string filepath)        {            byte[ ...

  5. 最全Java学习路线图——Java学习指南

    准备篇 适用/适合人群:适合基础小白 目标:掌握JavaSE. ●技术点小节: 1.开发工具的安装配置的介绍 2.JDK安装 3.DOS环境编程 4.Eclipse的安装使用 ●JAVA基础 1.基本 ...

  6. opencv移植到ubuntu

    原创博文,转载请标明出处--周学伟http://www.cnblogs.com/zxouxuewei/ OpenCV 2.2以后版本需要使用Cmake生成makefile文件,因此需要先安装cmake ...

  7. ubuntu 安装source insight

    1. 首先安装wine sudo apt-get install wine 2.下载source insight 安装包(.exe) 3,将安装包放到已知的目录下. 4.在终端进行安装,wine Si ...

  8. 浅谈无缓存I/O操作和标准I/O文件操作差别

    首先,先略微了解系统调用的概念:        系统调用,英文名system call,每一个操作系统都在内核里有一些内建的函数库,这些函数能够用来完毕一些系统系统调用把应用程序的请求传给内核,调用对 ...

  9. Hash表(hash table ,又名散列表)

    直接进去主题好了. 什么是哈希表? 哈希表(Hash table,也叫散列表),是根据key而直接进行访问的数据结构.也就是说,它通过把key映射到表中一个位置来访问记录,以加快查找的速度.这个映射函 ...

  10. 怎么下载tomcat的其他版本

    下载地址: http://archive.apache.org/dist/tomcat/ 里面包含tomcat的各个版本,windows版本.linux版本,tomcat7.0.x等.