[Crash-utility] DD image
Dave Anderson
anderson at redhat.com
Tue Apr 12 20:05:19 UTC 2011
----- Original Message -----
> Hi ,
>
>
> recently, some forensic research suggested that utilizing Crash
> utility as independent solution to parse Linux memory dump in order to
> extract forensic artifacts. but in real forensic cases where there is
> need for minimizing the footprint on the comprised system, the
> forensic analyst would perform only one action, which is physical
> memory capture to minimize the footprint with dd. I just wonder if
> there any chance that Crach utility would support dd image.
>
> Thanks,
> Amer
Certainly there is no support for such a raw dumpfile format.
But I don't really understand what you mean by saying that the
use of dd "would minimize the footprint"? I presume that you
are asking whether you could do something like this on a live
system?:
$ dd if=/dev/mem of=memory-image
$ crash vmlinux memory-image
Theoretically it could be done, presuming that the read_mem()
function in the /dev/mem driver would never fail until it reached
the end of physical memory, i.e., would create an exact page-by-page
copy of all physical pages from 0 to the end of physical memory.
But if that's the case, and you can run crash on the system that
you want to dump, try the "snap.so" extension module that comes
with the crash utility source package. It creates a dumpfile
while running on a live system, in an ELF format that crash
understands.
Dave
More information about the Crash-utility
mailing list