Hi Dave,
Crash utility support for such a raw dumpfile would be really useful for some embedded
devices.
Such device typically have no storage resource to write the dumpfile in the supported
format, but another CPU on the system can take out the physical memory contents to a
connected debugger PC. In this case, only raw dumpfile is available since the latter CPU
do not have the knowledge of the crashed kernel.
Writing a small utility which converts a raw dump to one of the supported format might be
an idea. But it probably requires the information from vmlinux.
So it seems natural to me that crash utility should support raw dumpfile by itself.
Best Regard,
Takuo Koguchi
----- Original Message -----
> Hi ,
>
>
> recently, some forensic research suggested that utilizing Crash
> utility as independent solution to parse Linux memory dump in order to
> extract forensic artifacts. but in real forensic cases where there is
> need for minimizing the footprint on the comprised system, the
> forensic analyst would perform only one action, which is physical
> memory capture to minimize the footprint with dd. I just wonder if
> there any chance that Crach utility would support dd image.
>
> Thanks,
> Amer
Certainly there is no support for such a raw dumpfile format.
But I don't really understand what you mean by saying that the
use of dd "would minimize the footprint"? I presume that you
are asking whether you could do something like this on a live
system?:
$ dd if=/dev/mem of=memory-image
$ crash vmlinux memory-image
Theoretically it could be done, presuming that the read_mem()
function in the /dev/mem driver would never fail until it reached
the end of physical memory, i.e., would create an exact page-by-page
copy of all physical pages from 0 to the end of physical memory.
But if that's the case, and you can run crash on the system that
you want to dump, try the "snap.so" extension module that comes
with the crash utility source package. It creates a dumpfile
while running on a live system, in an ELF format that crash
understands.
Dave
--
Crash-utility mailing list
Crash-utility(a)redhat.com
https://www.redhat.com/mailman/listinfo/crash-utility