Memory Dump Formats

by Chirath De Alwis

As in other storage devices, volatile memory also has several formats. According to the acquisition method that is in use, the captured file format can be vary. According to (Ligh et al, 2018) the most commonly used memory dump formats are:

  • RAW memory dump.
  • Windows crash dump.
  • Windows hibernation files.
  • Expert witness format (EWF).
  • HPAK format.

RAW Memory Dump

Raw memory dump is the most commonly used memory dump format by modern analysis tools. According to (Ligh et al, 2018) these raw file formatted memory dumps do not contain headers, metadata, or magic values.

“The raw format typically includes padding for any memory ranges that were intentionally skipped (i.e., device memory) or that could not be read by the acquisition tool, which helps maintain spatial integrity (relative offsets among data)” (Ligh et al, 2018).

The figure shown below is the architecture of the RAW memory file.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Windows Crash Dump

According to Hameed’s podcast Understanding Crash Dump Files (2008) by default all windows operating systems are configured to capture information about the status of that computer in the event of computer crash. As mentioned by Ligh et al (2018) these crash dumps begin with _DMP_HEADER or _DMP_HEADER64 structure.

The above figure shows the architecture of the Windows full crash dump file. According to Microsoft, 2018 there are three different formats of memory dumps available in windows crash dump.

Those are:

Complete memory dump
According to Microsoft (2018) this memory dump is the largest kernel-mode memory dump file. This memory file contains everything that was in the physical memory. As mentioned in Microsoft (2018) this memory dump does not contain physical memory that is used by the platform firmware.

Kernel memory dump
According to Hameed’s podcast Understanding Crash Dump Files (2008) this kernel-mode memory dump contains all the contents that were used by the kernel at the time of capturing the memory. Since this file contains only the content that was used by the kernel this memory dump is significantly smaller than the complete memory dump. As mentioned by Microsoft (2018) these memory dumps do not include unallocated memory, or any memory allocated to user-mode applications and therefore it can narrow down the analysis.

Small memory dump
As you can tell from the name, this is the smallest memory dump files that can be created in windows crash dump. According to Microsoft (2018) these memory files contain:

  • The bug check message and parameters, as well as other blue-screen data.
  • The processor context (PRCB) for the processor that crashed.
  • The process information and kernel context (EPROCESS) for the process that crashed.
  • The thread information and kernel context (ETHREAD) for the thread that crashed.
  • The kernel-mode call stack for the thread that crashed. If this is longer than 16 KB, only the topmost 16 KB will be included.
  • A list of loaded drivers.

According to Ligh et al (2018), the following are the reasons that a crash dump can be created.

  • Blue Screens
  • CrashOnScrollControl
  • Debuggers

But not all the above methods are suitable for forensics.

Windows Hibernation File

According to Microsoft (2018) hibernation in computing is powering down a computer while retaining its state. Upon hibernation, the computer saves the contents of its random access memory (RAM) to a hard disk or other non-volatile storage and upon resumption; the computer is exactly as it was before entering hibernation.

When hibernate is enabled on the computer, a hibernated file is create under system folder with the content of full dump of the memory.

Expert Witness Format (EWF)

According to Ligh et al (2018) this is the format that Encase Forensics uses when acquiring a memory with EnCase software. Even though this format is used by this commercial software company, due to its popularity it has become one of the standardized file formats. Since this file format used by EnCase to analyze these memory files there are only a few tools available. As Ligh et al (2018) say, investigators should be familiar with the following methods of analyzing the EWF memory dumps.

  • “EWFAddressSpace” (Ligh et al, 2018)
  • “Mounting with EnCase” (Ligh et al, 2018)
  • “Mounting with FTK Imager” (Ligh et al, 2018)

HPAK Format

This is the file format that is used by the HBGary software cooperation. “HPAK allows a target system’s physical memory and page file(s) to embed in the same output file” (Ligh et al, 2018). This is a proprietary format therefore these memory files can only be created with HBGary tools.

References

  1. Ligh, M.H. et al. (2018). The Art of Memory Forensics. 1st Ed. United States of America: John Wiley & Sons.
  2. Microsoft. (2008), 11 Jan 18, Understanding Crash Dump Files. 08 Jan 08, http://blogs.technet.com/b/askperf/archive/2008/01/08/understanding-crash-dump-files.aspx.
  3. Microsoft Corporation. 2018. Complete Memory Dump. [ONLINE] Available at: http://msdn.microsoft.com/en-us/library/windows/hardware/ff539190%28v=vs.85%29.aspx.
  4. Microsoft Corporation. 2018. Small Memory Dump. [ONLINE] Available at: http://msdn.microsoft.com/en-us/library/windows/hardware/ff556895%28v=vs.85%29.aspx.

About The Author

Chirath De Alwis is an information security professional with more than four years’ experience in Information Security domain. He holds C|EH, C|HFI and Qualys Certified Security Specialist certifications and reading for his MSc specializing in Cyber Security. Currently, Chirath is involved in vulnerability management, incident handling and digital forensics activities in Sri Lankan cyberspace. You can contact him on chirathdealwis@gmail.com.

3 thoughts on “Memory Dump Formats”

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

Podcast Ep. 80 Recap: Empowering Law Enforcement With Nick Harvey From Cellebrite

Forensic Focus 20th February 2024 11:49 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles