Friday, July 25, 2014

How to dump memory on Linux systems

In this blog,  we will look at a ways for memory dumping. This can come in handy when you want construct forensic or hacking around. This is also  a key part of incident handling when you suspect a system has been compromised.

The utilities that will be used are easily obtain or already installed. The old school method was to use the simple diskdupe aka "dd".

With this method, you will use the linux-device /dev/mem as the input file,  and write the output  to where ever you specify.

note: Just make sure the target has enough space on BIG memory systems. All examples require root permission for reading the /dev/mem  device

A simple dump  example1 using  the unix dd command;

A simple dump  example2 , with the unix dd,  example2 and setting blocksizes

Next we will use the memdump command, this is a simple tool to use. It requires just execution and you can redirect the output to your file of choice.

This is ideal for the users who don't want to mess with the  unix dd. It's just plain out simple & a one-liner command. I could teach my mother how to use this,  and she's not technical by any means with a computer.Now that you have 2 ways for dumping memory.

Now what can we do with these dumps? The dumps can now  be analyze  by memory collection tools or forensic. You can use programs like "strings" to look or trace for user details  within the dumps.

One more useful tool that can come in handy. The utility "gcore" does the same , but by using a proc-id. let's dump my  mysql pid and write out the  memory usage by that pid and the pid = 940 .

You can compare the size of output to the unix top command;

NOTE: VIRT column is your total memory, should be near the file size of the dump we made.  1.024x 327m=  334,848,000

And my last tip;

to be stealth,you can conduct these commands against the remote serer and dump the output locally using ssh great if you don't want to leave any traces.

Example execution on a remote server and saving the output locally using first  memdump and then dd.


 Ken Felix
 Freelance Network & Security Engineer
 kfelix -a--t- socpuppets ---d--o--t--- com

   ^      ^
=( *   * )=
     /  \

No comments:

Post a Comment