Linux provides two virtual devices for this purpose, '/dev/mem' and '/dev/kmem', though many distributions disable them by default for security reasons. '/dev/mem' is linked to the physical system memory, whereas '/dev/kmem' maps to the entire virtual memory space, including any swap. Both devices work as regular files, and can be used with dd or any other file manipulation too

  1. dd On Unix systems, the program dd can be used to capture the contents of physical memory using a device file (e.g. /dev/mem and /dev/kmem). In recent Linux kernels, /dev/kmem is no longer available. In even more recent kernels, /dev/mem has additional restrictions. And in the most recent, /dev/mem is no longer available by default, either. Throughout the 2.6 kernel series the trend has been to reduce direct access to memory via pseudo-device files. See, for example, the message accompanying this patch:http://lwn.net/Articles/267427/. On Red Hat systems (and derived distros such as CentOS), the crash driver can be loaded to create a pseudo-device for memory access ("modprobe crash").

l.

    1. Second Look This commercial memory analysis product has the ability to acquire memory from Linux systems, either locally or from a remote target via DMA or over the network. It comes with pre-compiled Physical Memory Access Driver (PMAD) modules for hundreds of kernels from the most commonly used Linux distributions.
    2. Idetect (Linux)
    3. fmem (Linux)
      fmem is kernel module, that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL. download url http://hysteria.cz/niekt0/
    4. Goldfish
      Goldfish is a Mac OS X live forensic tool for use only by law enforcement. Its main purpose is to provide an easy to use interface to dump the system RAM of a target machine via a Firewire connection. It then automatically extracts the current user login password and any open AOL Instant Messenger conversation fragments that may be available. Law Enforcement may contact goldfish.ae for download information.
      1. There is also GDB commonly available on most Linuxes.
        And, you are always advised to avoid writing over unknown memory -- it can lead to system corruption.

linux memory dump--http://www.forensicswiki.org/wiki/Tools:Memory_Imaging的更多相关文章

  1. 【转】 Linux Core Dump 介绍

    ===============================================================  Linux core dump的祥细介绍和使用 =========== ...

  2. Visual Studio 2013 新功能 Memory Dump 分析器

    本文为 Dennis Gao 原创技术文章,发表于博客园博客,未经作者本人允许禁止任何形式的转载. TechEd2013 发现新功能 12月5日和6日,在国家会议中心参加了微软的 TechEd2013 ...

  3. Memory Dump 分析器

    Visual Studio 2013 新功能 Memory Dump 分析器   TechEd2013 发现新功能 12月5日和6日,在国家会议中心参加了微软的 TechEd2013 技术大会,了解了 ...

  4. Responder Pro new version could analyze Win10 memory dump

    My friend John acquired a memory dump from Windows 10, but he could analyze this memory dump with an ...

  5. qualcomm memory dump 抓取方法

    Memory dump是系统出现crash时常用的分析故障原因的方法,qualcomm 各子系统运行时,为方便debug,都会开辟ram log和debug variable用于保存各系统运行信息及健 ...

  6. How do I find what queries were executing in a SQL memory dump?-----stack

     https://blogs.msdn.microsoft.com/askjay/2010/10/03/how-do-i-find-what-queries-were-executing-in-a-s ...

  7. Linux core dump file详解

    Linux core dump file详解 http://www.cnblogs.com/langqi250/archive/2013/03/05/2944931.html

  8. 利用 Memory Dump Diagnostic for Java (MDD4J) 分析内存管理问题

    利用 Memory Dump Diagnostic for Java (MDD4J) 分析内存管理问题(2) 启动和理解 MDD4J[size=1.0625]为了充分理解如何使用 MDD4J,您需要了 ...

  9. Linux(CentOS 7)命令行模式安装VMware Tools 详解

    本篇文章主要介绍了如何在Linux(CentOS 7)命令行模式安装VMware Tools,具有一定的参考价值,感兴趣的小伙伴们可以参考一下. 本例中为在Linux(以CentOS 7为例)安装VM ...

随机推荐

  1. python不同package下相互调用

    路径如: /path/dir1/a.py /path/dir2/b.py 调用举例如: 在/path/dir2/b.py中调用 a模块 import sys sys.path.append(" ...

  2. 【Java面试题】36 List、Map、Set三个接口,存取元素时,各有什么特点?

    List与Set都是单列元素的集合,它们有一个功共同的父接口Collection. Set里面不允许有重复的元素, 存元素:add方法有一个boolean的返回值,当集合中没有某个元素,此时add方法 ...

  3. 解决 SharePoint 2010 拒绝访问爬网内容源错误的小技巧(禁用环回请求的两种方式)

    这里有一条解决在SharePoint 2010搜索爬网时遇到的“拒绝访问错误”的小技巧. 首先要检查默认内容访问帐户是否具有相应的访问权限,或者添加一条相应的爬网规则.如果目标资源库是一个ShareP ...

  4. mysql优化方法积累

    1.对查询进行优化,应尽量避免全表扫描,首先应考虑在 where 及 order by 涉及的列上建立索引. 2.应尽量避免在 where 子句中对字段进行 null 值判断,否则将导致引擎放弃使用索 ...

  5. mysql通过mysql_install_db初始化数据目录时使用--user选项的作用是什么?

    需求描述: mysql数据库通过mysql_install_db初始化数据目录时,使用了--user选项,这里记录下该参数的作用 参数解释: 1.--user的作用:就是以哪个操作系统用户来执行mys ...

  6. [java] java 中Unsafe类学习

    java不能直接访问操作系统底层,而是通过本地方法来访问.Unsafe类提供了硬件级别的原子操作,主要提供了以下功能: 1.通过Unsafe类可以分配内存,可以释放内存: 类中提供的3个本地方法all ...

  7. NHibernate初学五之关联一对多关系

    1:创建两张表T_Country.T_Person:其中T_Person表中有一个CountryID对应T_Country的ID,一个Country可以对应多个Person CREATE TABLE ...

  8. WPF 本地化(多语言)

    如果你的程序需要本地化,考虑的因素诸多,例如:当文本改变后,控件的当前高度,宽度 是否合适.所在的位置是否合适.字体.布局是否合适?如果已经构建了一个真正自适应的布局,就不会有问题.用户界面应当能够调 ...

  9. Ubuntu 建立桌面快捷方式

    非常多时候,在Ubuntu下软件能够通过命令安装.可是有时候比較方便的方法就是下载一个压缩包,解压就能够使用了. 可是每次使用都要先跳到解压文件夹.这就比較麻烦.所以能够通过创建桌面快捷方式来解决问题 ...

  10. conn.setAutoCommit(false)数据回滚设置

    前言:介绍一点爱混淆的概念. 1.mysql中默认 autocommit=1:事物自动提交. 可通过 select @@autocommit;查看 但是是设置事务自动提交模式为set autocomm ...