In this blog, we will look at a ways for memory dumping. This can come in handy when you want construct forensic or hacking around. This is also a key part of incident handling when you suspect a system has been compromised.
The utilities that will be used are easily obtain or already installed. The old school method was to use the simple diskdupe aka "dd". http://en.wikipedia.org/wiki/Dd_%28Unix%29
With this method, you will use the linux-device /dev/mem as the input file, and write the output to where ever you specify.
note: Just make sure the target has enough space on BIG memory systems. All examples require root permission for reading the /dev/mem device
A simple dump example1 using the unix dd command;
A simple dump example2 , with the unix dd, example2 and setting blocksizes
Next we will use the memdump command, this is a simple tool to use. It requires just execution and you can redirect the output to your file of choice.
This is ideal for the users who don't want to mess with the unix dd. It's just plain out simple & a one-liner command. I could teach my mother how to use this, and she's not technical by any means with a computer.Now that you have 2 ways for dumping memory.
Now what can we do with these dumps? The dumps can now be analyze by memory collection tools or forensic. You can use programs like "strings" to look or trace for user details within the dumps.
One more useful tool that can come in handy. The utility "gcore" does the same , but by using a proc-id. let's dump my mysql pid and write out the memory usage by that pid and the pid = 940 .
You can compare the size of output to the unix top command;
NOTE: VIRT column is your total memory, should be near the file size of the dump we made. 1.024x 327m= 334,848,000
And my last tip;
to be stealth,you can conduct these commands against the remote serer and dump the output locally using ssh great if you don't want to leave any traces.
Example execution on a remote server and saving the output locally using first memdump and then dd.
Freelance Network & Security Engineer
kfelix -a--t- socpuppets ---d--o--t--- com
=( * * )=