Re: [Crash-utility] DD image
----- Original Message -----
Hi ,
recently, some forensic research suggested that utilizing Crash
utility as independent solution to parse Linux memory dump in order to
extract forensic artifacts. but in real forensic cases where there is
need for minimizing the footprint on the comprised system, the
forensic analyst would perform only one action, which is physical
memory capture to minimize the footprint with dd. I just wonder if
there any chance that Crach utility would support dd image.
Thanks,
Amer
Certainly there is no support for such a raw dumpfile format.
But I don't really understand what you mean by saying that the
use of dd "would minimize the footprint"? I presume that you
are asking whether you could do something like this on a live
system?:
$ dd if=/dev/mem of=memory-image
$ crash vmlinux memory-image
Theoretically it could be done, presuming that the read_mem()
function in the /dev/mem driver would never fail until it reached
the end of physical memory, i.e., would create an exact page-by-page
copy of all physical pages from 0 to the end of physical memory.
But if that's the case, and you can run crash on the system that
you want to dump, try the "snap.so" extension module that comes
with the crash utility source package. It creates a dumpfile
while running on a live system, in an ELF format that crash
understands.
Dave