Notifications
Clear all

zram0

3 Posts
3 Users
0 Likes
582 Views
(@karishma)
Posts: 3
New Member
Topic starter
 

I found a file in /dev/block of my android device named zram0. Does this contain the RAM contents of the phone? I acquired the zram0 using dd command.But I could not view it.I tried opening the dd image using autopsy. But the file couldn't be opened. Please suggest me a method to view the contents of the dd image of zram0.

 
Posted : 01/05/2016 10:00 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

My google-fu found this article https://www.kernel.org/doc/Documentation/blockdev/zram.txt

The article states that zram files are compressed, so perhaps the reason you are not able to view the contents with a simple hex viewer is that the file needs to be uncompressed first.

Article also states "The zram module creates RAM based block devices named /dev/zram<id>
(<id> = 0, 1, …)", so perhaps your compressed file is spanning across more zram files such as zram1, zram2 and therefore you need all segments of the compressed file to open it?

You could try to open all the zram files at once with 7zip or something similar? Maybe try researching the type of compression being used in this system.

 
Posted : 01/05/2016 10:22 pm
kacos
(@kacos)
Posts: 93
Trusted Member
 

zram was merged into the Linux kernel mainline in kernel version 3.14, released on March 30, 2014.[5] As of Linux kernel version 3.15, released on June 8, 2014, zram supports LZ4 compression algorithm, while LZO remains as the default compression backend. Changes in kernel 3.15 also provide performance improvements, as well as the ability to switch the compression algorithm via sysfs

wikipedia

 
Posted : 02/05/2016 4:25 pm
Share: