How can I dump all physical memory to a file?

kernel ram

Solution 1:

Use fmem

You used to be able to simply dd /dev/mem back in the day, but no longer for security reasons (since kernel 2.6, IIRC).

The alternative is to either build the kernel yourself wih the option to let root do that (will edit with name later, on phone now) OR better, use fmem, a kernel module which creates a /dev/fmem device pretty much meant for easy dumping.

fmem works great for me on 12.04. Just make sure you use the run.sh file included in the tarball to load the module; do not use insmod:

$ ./run.sh
...
----Memory areas: -----
reg00: base=0x000000000 (    0MB), size= 1024MB, count=1: write-back
reg01: base=0x0c8800000 ( 3208MB), size=    2MB, count=1: write-combining
-----------------------
!!! Don't forget add "count=" to dd !!!


$ ls /dev/f*
/dev/fb0  /dev/fd0  /dev/fmem  /dev/full  /dev/fuse


$ sudo dd if=/dev/fmem of=/tmp/fmem_dump.dd bs=1MB count=10
10+0 records in
10+0 records out
10000000 bytes (10 MB) copied, 0.0331212 s, 302 MB/s

Solution 2:

You probably can't dd your memory in modern kernels 'cause they've been reducing direct access, which is mostly used for dodgy things. The forensics wiki links a few tools that might be of interest, but there's nothing that's really been updated in the past few years. LiME seems updated though I haven't tested it yet.

Related

How to create a local webapp userscript
How do I make a custom right click command for nautilus? [duplicate]
How do I pause/resume download and install from terminal?
Ctrl+Alt+[Left/Right] not working in Ubuntu in VMWare
How can I beat Rainbow Summit?
Hidden crashed ship?
How do I navigate the lost woods?
Fire Emblem Awakening: Do paired units proc "to all allies" abilities with their mate?
How can I make a power rail inactive when it's next to an active one?
How can I set Discord to always show a custom message without it being overwritten when I launch a game? [duplicate]
Harpy stalemate
How to check if a spawner is broken in Minecraft 1.14?