Has anybody been able to successfully capture linux memory in recent kernels with the fmem module? (http//
I have done a little testing on ubuntu 11.04 (2.6.38-10) and every time I try to run dd with /dev/fmem as the input file I get the very unhelpful error "killed" and a zero byte output file.
root@MyComputerNameHere/# dd if=/dev/fmem of=/media/Data/temp/fmem/memdd count=4055936 bs=1kB
Killed
root@MyComputerNameHere/#
I've tried different size dd counts and block sizes with no further love. (I'm running as root as you can see above)
Any advice?
Is /dev/fmem loaded?
You might need to hot load fmem.ko to make it part of the kernel, with the Linux insmod command.
The fmem kernel module comes with a "run.sh" shell batch file that does this for you.
Have you tried Red Hat /dev/crash module?
Is /dev/fmem loaded?
Yep )
The install process actually runs the insmod for you ) (I checked, lsmod shows it sitting there happily)
Have you tried Red Hat /dev/crash module?
I haven't, is it Redhat specific? We tend to work mainly in userland not server land so don't see much of Redhat and mainly see Ubuntu or Fedora.
That being said, I"ll look into it, thanks.
Could it be the OOM_Killer killing your dd process because it used up too much RAM?
http//
How much RAM in the box?
How much RAM in the box?
4GB, but the "killed" happens immediately, doesn't seem like enough time for the RAM to be fully allocated (nothing else big running so RAM should be mostly free)
Maybe it is issue with fmem and not dd?
If you do something like
cat /dev/fmem | more
does cat also get killed?
4GB, but the "killed" happens immediately
Red Hat crash module can be used on Ubuntu, but you will need to prepare the module per kernel version you are interested in.
Have you considered firewire acquisition as an option?
Sadly, you have hit on a frustratingly difficult problem associated with acquisition of physical memory on the more modern OS's which also includes Mac OSX and Windows.
For obvious reasons being able to read physical memory presents security issues which has resulted in OS vendors implementing certain features in their kernel to mitigate against. Sadly this also has an impact for incident responders, forensic examiners and researchers.
I'm not saying they can't be overcome, it is just that you have to mindful about how you go about it and be prepared.
you loaded fmem using the .sh script right and not directly insmod'ing?
The author has a released a new version that should fix these issues
http//