How to Dump Linux Memory

Updated March 23, 2017

A Linux computer's memory contents can be dumped to disk for examination for educational or forensic purposes. Linux provides two virtual devices for this purpose, /dev/mem and /dev/kmem, though many distributions disable them by default for security reasons. /dev/mem is linked to the physical system memory, whereas /dev/kmem maps to the entire virtual memory space, including any swap. Both devices work as regular files, and can be used with dd or any other file manipulation tool.

Recompile the kernel and enable the /dev/mem and /dev/kmem devices, if necessary. Many modern distributions disable them, or at least disable kmem, as many rootkits install themselves via /dev/kmem and it has few other uses besides kernel programming education and research. Recompile with CONFIG_DEVKMEM set to "y" to enable /dev/kmem. Be sure to understand the security implications of what you're doing to your system.

Acquire root privileges. You can either log in as root, or use the su command to become root. Having access to the complete contents of system memory raises obvious security issues, since the contents contain the state of all running programs, so access is restricted to the superuser.

Dump the memory contents to disk using "dd". Other similar utilities can be used, as well. A command like "dd if=/dev/kmem of=/root/kmem" will copy virtual memory contents to the regular file /root/kmem. Make sure you have enough free disk space to hold the copy.


Consider using kgdb insetad of dumping memory. This is an extension of gdb, the Gnu debugger, to work with the Linux kernel. It gives you many more options and much more flexibility than just examining a dump file directly. /dev/kcore provides the contents of memory as a core-format file.


Enabling /dev/kmem on your system opens up a security vulnerability; many rootkits are known to use /dev/kmem as their installation vector. Make sure your computer is adequately secured from the Internet before attempting this. Writing to /dev/mem or /dev/kmem will overwrite random and probably important system memory, likely leading to a system crash and possibly destroying data on your hard drive.

Things You'll Need

  • Computer running Linux
bibliography-icon icon for annotation tool Cite this Article

About the Author