How to Dump Linux Memory

computer image by blaine stiger from Fotolia.com

A Linux computer's memory contents can be dumped to disk for examination for educational or forensic purposes. Linux provides two virtual devices for this purpose, /dev/mem and /dev/kmem, though many distributions disable them by default for security reasons. /dev/mem is linked to the physical system memory, whereas /dev/kmem maps to the entire virtual memory space, including any swap. Both devices work as regular files, and can be used with dd or any other file manipulation tool.

Recompile the kernel and enable the /dev/mem and /dev/kmem devices, if necessary. Many modern distributions disable them, or at least disable kmem, as many rootkits install themselves via /dev/kmem and it has few other uses besides kernel programming education and research. Recompile with CONFIG_DEVKMEM set to "y" to enable /dev/kmem. Be sure to understand the security implications of what you're doing to your system.

Acquire root privileges. You can either log in as root, or use the su command to become root. Having access to the complete contents of system memory raises obvious security issues, since the contents contain the state of all running programs, so access is restricted to the superuser.

Dump the memory contents to disk using "dd". Other similar utilities can be used, as well. A command like "dd if=/dev/kmem of=/root/kmem" will copy virtual memory contents to the regular file /root/kmem. Make sure you have enough free disk space to hold the copy.

Most recent