How to mount a dd-image which was created via fmem (memory dump tool)











up vote
2
down vote

favorite
1












I've used the tool fmem for creating a memory dump dd-file. That works fine.



But how can I access this image? I've tried it with mount but it says I have to specify a filesystem. But non of the given possibilities works (ext4, vfat etc).






mount memory dump







share|improve this question
























  • What does the command file dd-file say about this file? Also try tune2fs -l dd-file as well as fdisk -l dd-file.
    – slm
    Jun 8 '14 at 19:35








  • 1




    I would try sudo mount -o loop -t auto dd-file /mnt.
    – slm
    Jun 8 '14 at 19:41















up vote
2
down vote

favorite
1












I've used the tool fmem for creating a memory dump dd-file. That works fine.



But how can I access this image? I've tried it with mount but it says I have to specify a filesystem. But non of the given possibilities works (ext4, vfat etc).






mount memory dump







share|improve this question
























  • What does the command file dd-file say about this file? Also try tune2fs -l dd-file as well as fdisk -l dd-file.
    – slm
    Jun 8 '14 at 19:35








  • 1




    I would try sudo mount -o loop -t auto dd-file /mnt.
    – slm
    Jun 8 '14 at 19:41













up vote
2
down vote

favorite
1









up vote
2
down vote

favorite
1






1





I've used the tool fmem for creating a memory dump dd-file. That works fine.



But how can I access this image? I've tried it with mount but it says I have to specify a filesystem. But non of the given possibilities works (ext4, vfat etc).






mount memory dump







share|improve this question















I've used the tool fmem for creating a memory dump dd-file. That works fine.



But how can I access this image? I've tried it with mount but it says I have to specify a filesystem. But non of the given possibilities works (ext4, vfat etc).






mount memory dump




mount memory dump






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 24 at 20:36









Rui F Ribeiro

38.3k1476127




38.3k1476127










asked Jun 8 '14 at 18:29









Dee

1112




1112












  • What does the command file dd-file say about this file? Also try tune2fs -l dd-file as well as fdisk -l dd-file.
    – slm
    Jun 8 '14 at 19:35








  • 1




    I would try sudo mount -o loop -t auto dd-file /mnt.
    – slm
    Jun 8 '14 at 19:41


















  • What does the command file dd-file say about this file? Also try tune2fs -l dd-file as well as fdisk -l dd-file.
    – slm
    Jun 8 '14 at 19:35








  • 1




    I would try sudo mount -o loop -t auto dd-file /mnt.
    – slm
    Jun 8 '14 at 19:41
















What does the command file dd-file say about this file? Also try tune2fs -l dd-file as well as fdisk -l dd-file.
– slm
Jun 8 '14 at 19:35






What does the command file dd-file say about this file? Also try tune2fs -l dd-file as well as fdisk -l dd-file.
– slm
Jun 8 '14 at 19:35






1




1




I would try sudo mount -o loop -t auto dd-file /mnt.
– slm
Jun 8 '14 at 19:41




I would try sudo mount -o loop -t auto dd-file /mnt.
– slm
Jun 8 '14 at 19:41










2 Answers
2






active

oldest

votes

















up vote
2
down vote













fmem is a memory snapshotting tool. It creates an image of the contents of RAM.



While this may be useful for forensics or low-level debugging, it is not a filesystem image and cannot be mounted by any means.






share|improve this answer




























    up vote
    2
    down vote













    In trying this out myself this file is not anything other than a raw data dump/snapshot of memory. So you can examine it using any hex editor or a tool such as hexdump, or an appropriate forensic analysis tool.



    Downloading and compiling



    I found the latest version of fmem here:




    • http://hysteria.sk/~niekt0/foriana/


    After unpacking it you can compile it like so:



    $ make
    
rm -f *.o *.ko *.mod.c Module.symvers Module.markers modules.order .*.o.cmd .*.ko.cmd .*.o.d
    
rm -rf .tmp_versions
    
make -C /lib/modules/`uname -r`/build SUBDIRS=`pwd` modules
    
make[1]: Entering directory `/usr/src/kernels/3.14.4-100.fc19.x86_64'
    
  CC [M]  /home/saml/Downloads/fmem/fmem_1.6-0/lkm.o
    
  LD [M]  /home/saml/Downloads/fmem/fmem_1.6-0/fmem.o
    
  Building modules, stage 2.
    
  MODPOST 1 modules
    
  CC      /home/saml/Downloads/fmem/fmem_1.6-0/fmem.mod.o
    
  LD [M]  /home/saml/Downloads/fmem/fmem_1.6-0/fmem.ko
    
make[1]: Leaving directory `/usr/src/kernels/3.14.4-100.fc19.x86_64'


    To load the fmem kernel module you can run the included run.sh script with the archive:



    $ sudo ./run.sh 
    
Module: insmod fmem.ko a1=0xffffffff81090ca0 : OK
    
Device: /dev/fmem
    
----Memory areas: -----
    
reg01: base=0x000000000 (    0MB), size= 2048MB, count=1: write-back
    
reg02: base=0x080000000 ( 2048MB), size= 1024MB, count=1: write-back
    
reg03: base=0x100000000 ( 4096MB), size= 4096MB, count=1: write-back
    
reg04: base=0x200000000 ( 8192MB), size= 1024MB, count=1: write-back
    
reg05: base=0x23c000000 ( 9152MB), size=   64MB, count=1: uncachable
    
reg06: base=0x0bc000000 ( 3008MB), size=   64MB, count=1: uncachable
    
-----------------------
    
!!! Don't forget add "count=" to dd !!!


    You can then collect ~10MB of data, into file tst.dd:



    $ sudo dd if=/dev/fmem of=tst.dd bs=1MB count=10
    
10+0 records in
    
10+0 records out
    
10000000 bytes (10 MB) copied, 0.0541226 s, 185 MB/s


    Examining the resulting file



    If we throw the typical gamut of tools at this file you'll see that it doesn't contain anything other than raw binary data.



    file



    $ file tst.dd 
    
tst.dd: data


    fdisk



    $ fdisk -l tst.dd
    

    
Disk tst.dd: 9 MB, 9999872 bytes, 19531 sectors
    
Units = sectors of 1 * 512 = 512 bytes
    
Sector size (logical/physical): 512 bytes / 512 bytes
    
I/O size (minimum/optimal): 512 bytes / 512 bytes


    hexdump



    $ hexdump -C tst.dd  | head -10
    
00000000  53 ff 00 f0 53 ff 00 f0  c3 e2 00 f0 53 ff 00 f0  |S...S.......S...|
    
00000010  53 ff 00 f0 54 ff 00 f0  c9 a3 00 f0 53 ff 00 f0  |S...T.......S...|
    
00000020  a5 fe 00 f0 87 e9 00 f0  9f 11 00 f0 9f 11 00 f0  |................|
    
00000030  9f 11 00 f0 9f 11 00 f0  57 ef 00 f0 49 f5 00 f0  |........W...I...|
    
00000040  14 00 00 c0 4d f8 00 f0  41 f8 00 f0 9f c7 71 e1  |....M...A.....q.|
    
00000050  39 e7 00 f0 59 f8 00 f0  99 66 71 e1 d2 ef 00 f0  |9...Y....fq.....|
    
00000060  57 ff 00 f0 f2 e6 00 f0  6e fe 00 f0 53 ff 00 f0  |W.......n...S...|
    
00000070  53 ff 00 f0 a4 f0 00 f0  c7 ef 00 f0 01 9b 00 c0  |S...............|
    
00000080  9f 11 00 f0 9f 11 00 f0  9f 11 00 f0 9f 11 00 f0  |................|


    tune2fs



    $ tune2fs -l tst.dd 
    
tune2fs 1.42.7 (21-Jan-2013)
    
tune2fs: Bad magic number in super-block while trying to open tst.dd
    
Couldn't find valid filesystem superblock.


    mount



    $ sudo mount -o loop -t auto tst.dd /mnt/
    
mount: /dev/loop0 is write-protected, mounting read-only
    
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
    
       missing codepage or helper program, or other error
    

    
       In some cases useful info is found in syslog - try
    
       dmesg | tail or so.


    dmesg



    [332140.394396] fmem init_module 449: init
    
[332140.394401] fmem find_symbols 439: set guess_page_is_ram: ffffffff81090ca0
    
[333010.390836] loop: module loaded


    If you want to find out more about the category of tools that can dump memory similarly to fmem take a look at the list of resources in the references section.



    So then what can I do with the dump files from fmem?



    I found this article which discusses the creation AND analysis of these files. It's in the following article titled: Tracing Clues: Memory Analysis - Admin Network & Security Magazine. The article mentions 2 tools, Draugr & Volatilitux.



    excerpts




    Draugr



    One of the first tools for memory analysis on Linux was the Python script Draugr. The Draugr script allows users to investigate the memory of a running system directly via the /dev/mem pseudodevice. However, Draugr also analyzes memory dumps available in files. A disadvantage of Draugr is its limited functionality, which is restricted to listing processes and extracting specific memory areas. Development on Draugr stopped in 2009.



    Volatilitux



    Another memory analysis tool is Volatilitux, which was long heralded as the Linux equivalent to the Volatility tool used on Windows systems. The Volatility Analysis Framework now has built-in Linux support, which I will describe later in this article. Volatility has the biggest feature scope of the available Linux RAM analysis tools; however, it is worth noting that Volatility lacks two important features found in Volatilitux.



    ...



    ...



    In addition to the functions known from Draugr, Volatilitux lets you view and extract the open files of a process. A new release in December 2011 added 64-bit support.




    NOTE: The Windows tool, Volatility can also be used to analyze the output of fmem files!



    References




    • Tools:Memory Imaging - Wikipedia

    • How do I dump physical memory in Linux?






    share|improve this answer























    • The bit from hexdump really looks like the original BIOS/UEFI IDT vectors (before switch to protected mode, seems to all point to 0x00f0XXXX addresses which would be consistent with real-mode environment) anyway.
      – LawrenceC
      Jun 9 '14 at 0:20











    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f136114%2fhow-to-mount-a-dd-image-which-was-created-via-fmem-memory-dump-tool%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    2
    down vote













    fmem is a memory snapshotting tool. It creates an image of the contents of RAM.



    While this may be useful for forensics or low-level debugging, it is not a filesystem image and cannot be mounted by any means.






    share|improve this answer

























      up vote
      2
      down vote













      fmem is a memory snapshotting tool. It creates an image of the contents of RAM.



      While this may be useful for forensics or low-level debugging, it is not a filesystem image and cannot be mounted by any means.






      share|improve this answer























        up vote
        2
        down vote










        up vote
        2
        down vote









        fmem is a memory snapshotting tool. It creates an image of the contents of RAM.



        While this may be useful for forensics or low-level debugging, it is not a filesystem image and cannot be mounted by any means.






        share|improve this answer












        fmem is a memory snapshotting tool. It creates an image of the contents of RAM.



        While this may be useful for forensics or low-level debugging, it is not a filesystem image and cannot be mounted by any means.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jun 8 '14 at 20:35









        ToxicFrog

        1787




        1787
























            up vote
            2
            down vote













            In trying this out myself this file is not anything other than a raw data dump/snapshot of memory. So you can examine it using any hex editor or a tool such as hexdump, or an appropriate forensic analysis tool.



            Downloading and compiling



            I found the latest version of fmem here:




            • http://hysteria.sk/~niekt0/foriana/


            After unpacking it you can compile it like so:



            $ make
            
rm -f *.o *.ko *.mod.c Module.symvers Module.markers modules.order .*.o.cmd .*.ko.cmd .*.o.d
            
rm -rf .tmp_versions
            
make -C /lib/modules/`uname -r`/build SUBDIRS=`pwd` modules
            
make[1]: Entering directory `/usr/src/kernels/3.14.4-100.fc19.x86_64'
            
  CC [M]  /home/saml/Downloads/fmem/fmem_1.6-0/lkm.o
            
  LD [M]  /home/saml/Downloads/fmem/fmem_1.6-0/fmem.o
            
  Building modules, stage 2.
            
  MODPOST 1 modules
            
  CC      /home/saml/Downloads/fmem/fmem_1.6-0/fmem.mod.o
            
  LD [M]  /home/saml/Downloads/fmem/fmem_1.6-0/fmem.ko
            
make[1]: Leaving directory `/usr/src/kernels/3.14.4-100.fc19.x86_64'


            To load the fmem kernel module you can run the included run.sh script with the archive:



            $ sudo ./run.sh 
            
Module: insmod fmem.ko a1=0xffffffff81090ca0 : OK
            
Device: /dev/fmem
            
----Memory areas: -----
            
reg01: base=0x000000000 (    0MB), size= 2048MB, count=1: write-back
            
reg02: base=0x080000000 ( 2048MB), size= 1024MB, count=1: write-back
            
reg03: base=0x100000000 ( 4096MB), size= 4096MB, count=1: write-back
            
reg04: base=0x200000000 ( 8192MB), size= 1024MB, count=1: write-back
            
reg05: base=0x23c000000 ( 9152MB), size=   64MB, count=1: uncachable
            
reg06: base=0x0bc000000 ( 3008MB), size=   64MB, count=1: uncachable
            
-----------------------
            
!!! Don't forget add "count=" to dd !!!


            You can then collect ~10MB of data, into file tst.dd:



            $ sudo dd if=/dev/fmem of=tst.dd bs=1MB count=10
            
10+0 records in
            
10+0 records out
            
10000000 bytes (10 MB) copied, 0.0541226 s, 185 MB/s


            Examining the resulting file



            If we throw the typical gamut of tools at this file you'll see that it doesn't contain anything other than raw binary data.



            file



            $ file tst.dd 
            
tst.dd: data


            fdisk



            $ fdisk -l tst.dd
            

            
Disk tst.dd: 9 MB, 9999872 bytes, 19531 sectors
            
Units = sectors of 1 * 512 = 512 bytes
            
Sector size (logical/physical): 512 bytes / 512 bytes
            
I/O size (minimum/optimal): 512 bytes / 512 bytes


            hexdump



            $ hexdump -C tst.dd  | head -10
            
00000000  53 ff 00 f0 53 ff 00 f0  c3 e2 00 f0 53 ff 00 f0  |S...S.......S...|
            
00000010  53 ff 00 f0 54 ff 00 f0  c9 a3 00 f0 53 ff 00 f0  |S...T.......S...|
            
00000020  a5 fe 00 f0 87 e9 00 f0  9f 11 00 f0 9f 11 00 f0  |................|
            
00000030  9f 11 00 f0 9f 11 00 f0  57 ef 00 f0 49 f5 00 f0  |........W...I...|
            
00000040  14 00 00 c0 4d f8 00 f0  41 f8 00 f0 9f c7 71 e1  |....M...A.....q.|
            
00000050  39 e7 00 f0 59 f8 00 f0  99 66 71 e1 d2 ef 00 f0  |9...Y....fq.....|
            
00000060  57 ff 00 f0 f2 e6 00 f0  6e fe 00 f0 53 ff 00 f0  |W.......n...S...|
            
00000070  53 ff 00 f0 a4 f0 00 f0  c7 ef 00 f0 01 9b 00 c0  |S...............|
            
00000080  9f 11 00 f0 9f 11 00 f0  9f 11 00 f0 9f 11 00 f0  |................|


            tune2fs



            $ tune2fs -l tst.dd 
            
tune2fs 1.42.7 (21-Jan-2013)
            
tune2fs: Bad magic number in super-block while trying to open tst.dd
            
Couldn't find valid filesystem superblock.


            mount



            $ sudo mount -o loop -t auto tst.dd /mnt/
            
mount: /dev/loop0 is write-protected, mounting read-only
            
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
            
       missing codepage or helper program, or other error
            

            
       In some cases useful info is found in syslog - try
            
       dmesg | tail or so.


            dmesg



            [332140.394396] fmem init_module 449: init
            
[332140.394401] fmem find_symbols 439: set guess_page_is_ram: ffffffff81090ca0
            
[333010.390836] loop: module loaded


            If you want to find out more about the category of tools that can dump memory similarly to fmem take a look at the list of resources in the references section.



            So then what can I do with the dump files from fmem?



            I found this article which discusses the creation AND analysis of these files. It's in the following article titled: Tracing Clues: Memory Analysis - Admin Network & Security Magazine. The article mentions 2 tools, Draugr & Volatilitux.



            excerpts




            Draugr



            One of the first tools for memory analysis on Linux was the Python script Draugr. The Draugr script allows users to investigate the memory of a running system directly via the /dev/mem pseudodevice. However, Draugr also analyzes memory dumps available in files. A disadvantage of Draugr is its limited functionality, which is restricted to listing processes and extracting specific memory areas. Development on Draugr stopped in 2009.



            Volatilitux



            Another memory analysis tool is Volatilitux, which was long heralded as the Linux equivalent to the Volatility tool used on Windows systems. The Volatility Analysis Framework now has built-in Linux support, which I will describe later in this article. Volatility has the biggest feature scope of the available Linux RAM analysis tools; however, it is worth noting that Volatility lacks two important features found in Volatilitux.



            ...



            ...



            In addition to the functions known from Draugr, Volatilitux lets you view and extract the open files of a process. A new release in December 2011 added 64-bit support.




            NOTE: The Windows tool, Volatility can also be used to analyze the output of fmem files!



            References




            • Tools:Memory Imaging - Wikipedia

            • How do I dump physical memory in Linux?






            share|improve this answer























            • The bit from hexdump really looks like the original BIOS/UEFI IDT vectors (before switch to protected mode, seems to all point to 0x00f0XXXX addresses which would be consistent with real-mode environment) anyway.
              – LawrenceC
              Jun 9 '14 at 0:20















            up vote
            2
            down vote













            In trying this out myself this file is not anything other than a raw data dump/snapshot of memory. So you can examine it using any hex editor or a tool such as hexdump, or an appropriate forensic analysis tool.



            Downloading and compiling



            I found the latest version of fmem here:




            • http://hysteria.sk/~niekt0/foriana/


            After unpacking it you can compile it like so:



            $ make
            
rm -f *.o *.ko *.mod.c Module.symvers Module.markers modules.order .*.o.cmd .*.ko.cmd .*.o.d
            
rm -rf .tmp_versions
            
make -C /lib/modules/`uname -r`/build SUBDIRS=`pwd` modules
            
make[1]: Entering directory `/usr/src/kernels/3.14.4-100.fc19.x86_64'
            
  CC [M]  /home/saml/Downloads/fmem/fmem_1.6-0/lkm.o
            
  LD [M]  /home/saml/Downloads/fmem/fmem_1.6-0/fmem.o
            
  Building modules, stage 2.
            
  MODPOST 1 modules
            
  CC      /home/saml/Downloads/fmem/fmem_1.6-0/fmem.mod.o
            
  LD [M]  /home/saml/Downloads/fmem/fmem_1.6-0/fmem.ko
            
make[1]: Leaving directory `/usr/src/kernels/3.14.4-100.fc19.x86_64'


            To load the fmem kernel module you can run the included run.sh script with the archive:



            $ sudo ./run.sh 
            
Module: insmod fmem.ko a1=0xffffffff81090ca0 : OK
            
Device: /dev/fmem
            
----Memory areas: -----
            
reg01: base=0x000000000 (    0MB), size= 2048MB, count=1: write-back
            
reg02: base=0x080000000 ( 2048MB), size= 1024MB, count=1: write-back
            
reg03: base=0x100000000 ( 4096MB), size= 4096MB, count=1: write-back
            
reg04: base=0x200000000 ( 8192MB), size= 1024MB, count=1: write-back
            
reg05: base=0x23c000000 ( 9152MB), size=   64MB, count=1: uncachable
            
reg06: base=0x0bc000000 ( 3008MB), size=   64MB, count=1: uncachable
            
-----------------------
            
!!! Don't forget add "count=" to dd !!!


            You can then collect ~10MB of data, into file tst.dd:



            $ sudo dd if=/dev/fmem of=tst.dd bs=1MB count=10
            
10+0 records in
            
10+0 records out
            
10000000 bytes (10 MB) copied, 0.0541226 s, 185 MB/s


            Examining the resulting file



            If we throw the typical gamut of tools at this file you'll see that it doesn't contain anything other than raw binary data.



            file



            $ file tst.dd 
            
tst.dd: data


            fdisk



            $ fdisk -l tst.dd
            

            
Disk tst.dd: 9 MB, 9999872 bytes, 19531 sectors
            
Units = sectors of 1 * 512 = 512 bytes
            
Sector size (logical/physical): 512 bytes / 512 bytes
            
I/O size (minimum/optimal): 512 bytes / 512 bytes


            hexdump



            $ hexdump -C tst.dd  | head -10
            
00000000  53 ff 00 f0 53 ff 00 f0  c3 e2 00 f0 53 ff 00 f0  |S...S.......S...|
            
00000010  53 ff 00 f0 54 ff 00 f0  c9 a3 00 f0 53 ff 00 f0  |S...T.......S...|
            
00000020  a5 fe 00 f0 87 e9 00 f0  9f 11 00 f0 9f 11 00 f0  |................|
            
00000030  9f 11 00 f0 9f 11 00 f0  57 ef 00 f0 49 f5 00 f0  |........W...I...|
            
00000040  14 00 00 c0 4d f8 00 f0  41 f8 00 f0 9f c7 71 e1  |....M...A.....q.|
            
00000050  39 e7 00 f0 59 f8 00 f0  99 66 71 e1 d2 ef 00 f0  |9...Y....fq.....|
            
00000060  57 ff 00 f0 f2 e6 00 f0  6e fe 00 f0 53 ff 00 f0  |W.......n...S...|
            
00000070  53 ff 00 f0 a4 f0 00 f0  c7 ef 00 f0 01 9b 00 c0  |S...............|
            
00000080  9f 11 00 f0 9f 11 00 f0  9f 11 00 f0 9f 11 00 f0  |................|


            tune2fs



            $ tune2fs -l tst.dd 
            
tune2fs 1.42.7 (21-Jan-2013)
            
tune2fs: Bad magic number in super-block while trying to open tst.dd
            
Couldn't find valid filesystem superblock.


            mount



            $ sudo mount -o loop -t auto tst.dd /mnt/
            
mount: /dev/loop0 is write-protected, mounting read-only
            
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
            
       missing codepage or helper program, or other error
            

            
       In some cases useful info is found in syslog - try
            
       dmesg | tail or so.


            dmesg



            [332140.394396] fmem init_module 449: init
            
[332140.394401] fmem find_symbols 439: set guess_page_is_ram: ffffffff81090ca0
            
[333010.390836] loop: module loaded


            If you want to find out more about the category of tools that can dump memory similarly to fmem take a look at the list of resources in the references section.



            So then what can I do with the dump files from fmem?



            I found this article which discusses the creation AND analysis of these files. It's in the following article titled: Tracing Clues: Memory Analysis - Admin Network & Security Magazine. The article mentions 2 tools, Draugr & Volatilitux.



            excerpts




            Draugr



            One of the first tools for memory analysis on Linux was the Python script Draugr. The Draugr script allows users to investigate the memory of a running system directly via the /dev/mem pseudodevice. However, Draugr also analyzes memory dumps available in files. A disadvantage of Draugr is its limited functionality, which is restricted to listing processes and extracting specific memory areas. Development on Draugr stopped in 2009.



            Volatilitux



            Another memory analysis tool is Volatilitux, which was long heralded as the Linux equivalent to the Volatility tool used on Windows systems. The Volatility Analysis Framework now has built-in Linux support, which I will describe later in this article. Volatility has the biggest feature scope of the available Linux RAM analysis tools; however, it is worth noting that Volatility lacks two important features found in Volatilitux.



            ...



            ...



            In addition to the functions known from Draugr, Volatilitux lets you view and extract the open files of a process. A new release in December 2011 added 64-bit support.




            NOTE: The Windows tool, Volatility can also be used to analyze the output of fmem files!



            References




            • Tools:Memory Imaging - Wikipedia

            • How do I dump physical memory in Linux?






            share|improve this answer























            • The bit from hexdump really looks like the original BIOS/UEFI IDT vectors (before switch to protected mode, seems to all point to 0x00f0XXXX addresses which would be consistent with real-mode environment) anyway.
              – LawrenceC
              Jun 9 '14 at 0:20













            up vote
            2
            down vote










            up vote
            2
            down vote









            In trying this out myself this file is not anything other than a raw data dump/snapshot of memory. So you can examine it using any hex editor or a tool such as hexdump, or an appropriate forensic analysis tool.



            Downloading and compiling



            I found the latest version of fmem here:




            • http://hysteria.sk/~niekt0/foriana/


            After unpacking it you can compile it like so:



            $ make
            
rm -f *.o *.ko *.mod.c Module.symvers Module.markers modules.order .*.o.cmd .*.ko.cmd .*.o.d
            
rm -rf .tmp_versions
            
make -C /lib/modules/`uname -r`/build SUBDIRS=`pwd` modules
            
make[1]: Entering directory `/usr/src/kernels/3.14.4-100.fc19.x86_64'
            
  CC [M]  /home/saml/Downloads/fmem/fmem_1.6-0/lkm.o
            
  LD [M]  /home/saml/Downloads/fmem/fmem_1.6-0/fmem.o
            
  Building modules, stage 2.
            
  MODPOST 1 modules
            
  CC      /home/saml/Downloads/fmem/fmem_1.6-0/fmem.mod.o
            
  LD [M]  /home/saml/Downloads/fmem/fmem_1.6-0/fmem.ko
            
make[1]: Leaving directory `/usr/src/kernels/3.14.4-100.fc19.x86_64'


            To load the fmem kernel module you can run the included run.sh script with the archive:



            $ sudo ./run.sh 
            
Module: insmod fmem.ko a1=0xffffffff81090ca0 : OK
            
Device: /dev/fmem
            
----Memory areas: -----
            
reg01: base=0x000000000 (    0MB), size= 2048MB, count=1: write-back
            
reg02: base=0x080000000 ( 2048MB), size= 1024MB, count=1: write-back
            
reg03: base=0x100000000 ( 4096MB), size= 4096MB, count=1: write-back
            
reg04: base=0x200000000 ( 8192MB), size= 1024MB, count=1: write-back
            
reg05: base=0x23c000000 ( 9152MB), size=   64MB, count=1: uncachable
            
reg06: base=0x0bc000000 ( 3008MB), size=   64MB, count=1: uncachable
            
-----------------------
            
!!! Don't forget add "count=" to dd !!!


            You can then collect ~10MB of data, into file tst.dd:



            $ sudo dd if=/dev/fmem of=tst.dd bs=1MB count=10
            
10+0 records in
            
10+0 records out
            
10000000 bytes (10 MB) copied, 0.0541226 s, 185 MB/s


            Examining the resulting file



            If we throw the typical gamut of tools at this file you'll see that it doesn't contain anything other than raw binary data.



            file



            $ file tst.dd 
            
tst.dd: data


            fdisk



            $ fdisk -l tst.dd
            

            
Disk tst.dd: 9 MB, 9999872 bytes, 19531 sectors
            
Units = sectors of 1 * 512 = 512 bytes
            
Sector size (logical/physical): 512 bytes / 512 bytes
            
I/O size (minimum/optimal): 512 bytes / 512 bytes


            hexdump



            $ hexdump -C tst.dd  | head -10
            
00000000  53 ff 00 f0 53 ff 00 f0  c3 e2 00 f0 53 ff 00 f0  |S...S.......S...|
            
00000010  53 ff 00 f0 54 ff 00 f0  c9 a3 00 f0 53 ff 00 f0  |S...T.......S...|
            
00000020  a5 fe 00 f0 87 e9 00 f0  9f 11 00 f0 9f 11 00 f0  |................|
            
00000030  9f 11 00 f0 9f 11 00 f0  57 ef 00 f0 49 f5 00 f0  |........W...I...|
            
00000040  14 00 00 c0 4d f8 00 f0  41 f8 00 f0 9f c7 71 e1  |....M...A.....q.|
            
00000050  39 e7 00 f0 59 f8 00 f0  99 66 71 e1 d2 ef 00 f0  |9...Y....fq.....|
            
00000060  57 ff 00 f0 f2 e6 00 f0  6e fe 00 f0 53 ff 00 f0  |W.......n...S...|
            
00000070  53 ff 00 f0 a4 f0 00 f0  c7 ef 00 f0 01 9b 00 c0  |S...............|
            
00000080  9f 11 00 f0 9f 11 00 f0  9f 11 00 f0 9f 11 00 f0  |................|


            tune2fs



            $ tune2fs -l tst.dd 
            
tune2fs 1.42.7 (21-Jan-2013)
            
tune2fs: Bad magic number in super-block while trying to open tst.dd
            
Couldn't find valid filesystem superblock.


            mount



            $ sudo mount -o loop -t auto tst.dd /mnt/
            
mount: /dev/loop0 is write-protected, mounting read-only
            
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
            
       missing codepage or helper program, or other error
            

            
       In some cases useful info is found in syslog - try
            
       dmesg | tail or so.


            dmesg



            [332140.394396] fmem init_module 449: init
            
[332140.394401] fmem find_symbols 439: set guess_page_is_ram: ffffffff81090ca0
            
[333010.390836] loop: module loaded


            If you want to find out more about the category of tools that can dump memory similarly to fmem take a look at the list of resources in the references section.



            So then what can I do with the dump files from fmem?



            I found this article which discusses the creation AND analysis of these files. It's in the following article titled: Tracing Clues: Memory Analysis - Admin Network & Security Magazine. The article mentions 2 tools, Draugr & Volatilitux.



            excerpts




            Draugr



            One of the first tools for memory analysis on Linux was the Python script Draugr. The Draugr script allows users to investigate the memory of a running system directly via the /dev/mem pseudodevice. However, Draugr also analyzes memory dumps available in files. A disadvantage of Draugr is its limited functionality, which is restricted to listing processes and extracting specific memory areas. Development on Draugr stopped in 2009.



            Volatilitux



            Another memory analysis tool is Volatilitux, which was long heralded as the Linux equivalent to the Volatility tool used on Windows systems. The Volatility Analysis Framework now has built-in Linux support, which I will describe later in this article. Volatility has the biggest feature scope of the available Linux RAM analysis tools; however, it is worth noting that Volatility lacks two important features found in Volatilitux.



            ...



            ...



            In addition to the functions known from Draugr, Volatilitux lets you view and extract the open files of a process. A new release in December 2011 added 64-bit support.




            NOTE: The Windows tool, Volatility can also be used to analyze the output of fmem files!



            References




            • Tools:Memory Imaging - Wikipedia

            • How do I dump physical memory in Linux?






            share|improve this answer














            In trying this out myself this file is not anything other than a raw data dump/snapshot of memory. So you can examine it using any hex editor or a tool such as hexdump, or an appropriate forensic analysis tool.



            Downloading and compiling



            I found the latest version of fmem here:




            • http://hysteria.sk/~niekt0/foriana/


            After unpacking it you can compile it like so:



            $ make
            
rm -f *.o *.ko *.mod.c Module.symvers Module.markers modules.order .*.o.cmd .*.ko.cmd .*.o.d
            
rm -rf .tmp_versions
            
make -C /lib/modules/`uname -r`/build SUBDIRS=`pwd` modules
            
make[1]: Entering directory `/usr/src/kernels/3.14.4-100.fc19.x86_64'
            
  CC [M]  /home/saml/Downloads/fmem/fmem_1.6-0/lkm.o
            
  LD [M]  /home/saml/Downloads/fmem/fmem_1.6-0/fmem.o
            
  Building modules, stage 2.
            
  MODPOST 1 modules
            
  CC      /home/saml/Downloads/fmem/fmem_1.6-0/fmem.mod.o
            
  LD [M]  /home/saml/Downloads/fmem/fmem_1.6-0/fmem.ko
            
make[1]: Leaving directory `/usr/src/kernels/3.14.4-100.fc19.x86_64'


            To load the fmem kernel module you can run the included run.sh script with the archive:



            $ sudo ./run.sh 
            
Module: insmod fmem.ko a1=0xffffffff81090ca0 : OK
            
Device: /dev/fmem
            
----Memory areas: -----
            
reg01: base=0x000000000 (    0MB), size= 2048MB, count=1: write-back
            
reg02: base=0x080000000 ( 2048MB), size= 1024MB, count=1: write-back
            
reg03: base=0x100000000 ( 4096MB), size= 4096MB, count=1: write-back
            
reg04: base=0x200000000 ( 8192MB), size= 1024MB, count=1: write-back
            
reg05: base=0x23c000000 ( 9152MB), size=   64MB, count=1: uncachable
            
reg06: base=0x0bc000000 ( 3008MB), size=   64MB, count=1: uncachable
            
-----------------------
            
!!! Don't forget add "count=" to dd !!!


            You can then collect ~10MB of data, into file tst.dd:



            $ sudo dd if=/dev/fmem of=tst.dd bs=1MB count=10
            
10+0 records in
            
10+0 records out
            
10000000 bytes (10 MB) copied, 0.0541226 s, 185 MB/s


            Examining the resulting file



            If we throw the typical gamut of tools at this file you'll see that it doesn't contain anything other than raw binary data.



            file



            $ file tst.dd 
            
tst.dd: data


            fdisk



            $ fdisk -l tst.dd
            

            
Disk tst.dd: 9 MB, 9999872 bytes, 19531 sectors
            
Units = sectors of 1 * 512 = 512 bytes
            
Sector size (logical/physical): 512 bytes / 512 bytes
            
I/O size (minimum/optimal): 512 bytes / 512 bytes


            hexdump



            $ hexdump -C tst.dd  | head -10
            
00000000  53 ff 00 f0 53 ff 00 f0  c3 e2 00 f0 53 ff 00 f0  |S...S.......S...|
            
00000010  53 ff 00 f0 54 ff 00 f0  c9 a3 00 f0 53 ff 00 f0  |S...T.......S...|
            
00000020  a5 fe 00 f0 87 e9 00 f0  9f 11 00 f0 9f 11 00 f0  |................|
            
00000030  9f 11 00 f0 9f 11 00 f0  57 ef 00 f0 49 f5 00 f0  |........W...I...|
            
00000040  14 00 00 c0 4d f8 00 f0  41 f8 00 f0 9f c7 71 e1  |....M...A.....q.|
            
00000050  39 e7 00 f0 59 f8 00 f0  99 66 71 e1 d2 ef 00 f0  |9...Y....fq.....|
            
00000060  57 ff 00 f0 f2 e6 00 f0  6e fe 00 f0 53 ff 00 f0  |W.......n...S...|
            
00000070  53 ff 00 f0 a4 f0 00 f0  c7 ef 00 f0 01 9b 00 c0  |S...............|
            
00000080  9f 11 00 f0 9f 11 00 f0  9f 11 00 f0 9f 11 00 f0  |................|


            tune2fs



            $ tune2fs -l tst.dd 
            
tune2fs 1.42.7 (21-Jan-2013)
            
tune2fs: Bad magic number in super-block while trying to open tst.dd
            
Couldn't find valid filesystem superblock.


            mount



            $ sudo mount -o loop -t auto tst.dd /mnt/
            
mount: /dev/loop0 is write-protected, mounting read-only
            
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
            
       missing codepage or helper program, or other error
            

            
       In some cases useful info is found in syslog - try
            
       dmesg | tail or so.


            dmesg



            [332140.394396] fmem init_module 449: init
            
[332140.394401] fmem find_symbols 439: set guess_page_is_ram: ffffffff81090ca0
            
[333010.390836] loop: module loaded


            If you want to find out more about the category of tools that can dump memory similarly to fmem take a look at the list of resources in the references section.



            So then what can I do with the dump files from fmem?



            I found this article which discusses the creation AND analysis of these files. It's in the following article titled: Tracing Clues: Memory Analysis - Admin Network & Security Magazine. The article mentions 2 tools, Draugr & Volatilitux.



            excerpts




            Draugr



            One of the first tools for memory analysis on Linux was the Python script Draugr. The Draugr script allows users to investigate the memory of a running system directly via the /dev/mem pseudodevice. However, Draugr also analyzes memory dumps available in files. A disadvantage of Draugr is its limited functionality, which is restricted to listing processes and extracting specific memory areas. Development on Draugr stopped in 2009.



            Volatilitux



            Another memory analysis tool is Volatilitux, which was long heralded as the Linux equivalent to the Volatility tool used on Windows systems. The Volatility Analysis Framework now has built-in Linux support, which I will describe later in this article. Volatility has the biggest feature scope of the available Linux RAM analysis tools; however, it is worth noting that Volatility lacks two important features found in Volatilitux.



            ...



            ...



            In addition to the functions known from Draugr, Volatilitux lets you view and extract the open files of a process. A new release in December 2011 added 64-bit support.




            NOTE: The Windows tool, Volatility can also be used to analyze the output of fmem files!



            References




            • Tools:Memory Imaging - Wikipedia

            • How do I dump physical memory in Linux?







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Mar 20 '17 at 10:18









            Community

            1




            1










            answered Jun 8 '14 at 21:04









            slm

            245k66505671




            245k66505671












            • The bit from hexdump really looks like the original BIOS/UEFI IDT vectors (before switch to protected mode, seems to all point to 0x00f0XXXX addresses which would be consistent with real-mode environment) anyway.
              – LawrenceC
              Jun 9 '14 at 0:20


















            • The bit from hexdump really looks like the original BIOS/UEFI IDT vectors (before switch to protected mode, seems to all point to 0x00f0XXXX addresses which would be consistent with real-mode environment) anyway.
              – LawrenceC
              Jun 9 '14 at 0:20
















            The bit from hexdump really looks like the original BIOS/UEFI IDT vectors (before switch to protected mode, seems to all point to 0x00f0XXXX addresses which would be consistent with real-mode environment) anyway.
            – LawrenceC
            Jun 9 '14 at 0:20




            The bit from hexdump really looks like the original BIOS/UEFI IDT vectors (before switch to protected mode, seems to all point to 0x00f0XXXX addresses which would be consistent with real-mode environment) anyway.
            – LawrenceC
            Jun 9 '14 at 0:20


















            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f136114%2fhow-to-mount-a-dd-image-which-was-created-via-fmem-memory-dump-tool%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Morgemoulin

            Image
            Morgemoulin — miejscowość i gmina — Państwo   Francja Region Grand Est Departament Moza Okręg Verdun Kod INSEE 55357 Powierzchnia 6,82 km² Populacja  (1990) • liczba ludności 75 • gęstość 11 os./km² Kod pocztowy 55400 Położenie na mapie Francji Morgemoulin 49°14′N   5°35′E / 49,233333   5,583333 Portal Francja Morgemoulin – miejscowość i gmina we Francji, w regionie Grand Est, w departamencie Moza. Według danych na rok 1990 gminę zamieszkiwało 75 osób, a gęstość zaludnienia wynosiła 11 osób/km² (wśród 2335 gmin Lotaryngii Morgemoulin plasuje się na 970. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 848.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Verdun Abaucourt-Hautecourt • Aincreville • Ambly-sur-Meuse • Amel-sur-l'Étang • Ancemont • Arrancy-sur-Crusne • Aubréville • Autré
            Read more

            Scott Moir

            Image
            Scott Moir Tessa Virtue i Scott Moir w 2016 r. Reprezentacja   Kanada Data i miejsce urodzenia 2 września 1987 London Wzrost 180 cm Konkurencja Pary taneczne Partner sportowy Tessa Virtue Trener Marie-France Dubreuil, Patrice Lauzon, Romain Haguenauer Poprzednio: Marina Zujewa, Oleg Epstein, Igor Szpilband, Johnny Johns, Carol Moir, Paul MacIntosh, Suzanne Killing Klub Montreal International School of Skating Poprzednio: Arctic Edge FSC Ilderton Skating Club Lokalizacja treningowa Montreal Poprzednio: Canton Kitchener Rekordy życiowe ISU przed sezonem 2018/2019 Nota łączna 206,07 Igrzyska Olimpijskie 2018 Taniec krótki 83,67 Igrzyska Olimpijskie 2018 Taniec dowolny 122,40 Igrzyska Olimpijskie 2018 Dorobek medalowy Reprezentacja   Kanada Igrzyska olimpijskie Złoto Vancouver 2010 pary taneczne Złoto Pjongczang 2018 pary taneczne Złoto Pjongczang 2018 drużynowo Srebro S
            Read more

            Souastre

            Image
            Souastre — miejscowość i gmina — Herb Państwo   Francja Region Hauts-de-France Departament Pas-de-Calais Okręg Arras Kod INSEE 62800 Powierzchnia 7,18 km² Populacja  (1990) • liczba ludności 352 • gęstość 49 os./km² Kod pocztowy 62111 Położenie na mapie Francji Souastre 50°09′N   2°34′E / 50,150000   2,566667 Portal Francja Souastre – miejscowość i gmina we Francji, w regionie Hauts-de-France, w departamencie Pas-de-Calais. Według danych na rok 1990 gminę zamieszkiwały 352 osoby, a gęstość zaludnienia wynosiła 49 osób/km² (wśród 1549 gmin regionu Nord-Pas-de-Calais Souastre plasuje się na 887. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 507.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Arras Ablain-Saint-Nazaire Ablainzevelle Acheville Achicourt Achiet-le-Grand Achiet-le-Pe
            Read more