RAM Dumping
by Metalx1000
As soon as your operating system starts to load, the RAM in your computer is already in use.
It's storing all the data you see and a whole lot you don't see. You may think, as I used to, that when you close a program, the program and its data are removed from RAM. What you may not realize is that data and information from programs you have long since closed may still be hanging out there.
There are many reasons why someone might want to acquire memory dumps from a system's RAM and use forensic software tools to examine them. A programmer might be checking for bugs in a program, an anti-virus programmer might be trying to dissect what a virus does once it is loaded, or someone might just be curious as to what is going on in his or her computer, to learn about the technologies in use and maybe find ways to improve them.
Whatever the reason for your curiosity on the subject of acquiring memory dumps, I hope that this little article will help you on your way. The steps and tools outlined will hopefully answer some of your questions about what is going on in the part of your computer that you don't normally get to see.
When a program is compiled, many times other files, such as image and sound files, are compiled into it or compressed into package files that are distributed with the program. When the program is started, not only is the program loaded into RAM, but so are the extra files.
Remember, everything you see on your screen is stored in your RAM, including the icons on toolbars and drop down menus.
What we need to do is pull all the information from your RAM and put it back on your hard drive, where we can look at it and pick it apart.
I'll be describing how to do this on a Windows machine. The tool I like to use to do this is called Win32dd.
Win32dd is a free kernel-land tool to acquire physical memory. Win32dd has some similarities to the dd command many of you UNIX and Linux users are already familiar with. This tool will copy your RAM to one dump file. A dump file is like a complete image of the contents of your RAM. If you are familiar with the image files that dd creates from hard drives, then you should feel pretty much at home with this concept.
I would like to point out that Win32dd is open-source and free as in freedom, but the project has been dropped by the creator Matthieu Suiche. Suiche is now working on a similar tool called MoonSols. I do not believe MoonSols is open-source, so I have not used it myself. You should be able to obtain a copy of Win32dd with some Google searching.
The way we are going to use Win32dd is simple.
After going to the Win32dd site and downloading the ZIP file, extract the contents to a folder where you would like to keep the data you grab from RAM.
There should be four files in the ZIP file: HELP.txt, README.txt, win32dd.exe, and win32dd.sys
Obviously, the first two files are for your reading pleasure. The last two are needed for Win32dd to work.
Once extracted from the ZIP file, open your command line and move to the directory where you have placed Win32dd.
Then run Win32dd as follows:
You can name the dump file anything you would like.
Since most new computers have large capacities of RAM, on average ranging from 2 to 4 GB, it could take awhile to download all the data from your RAM to your dump file. So be patient. As they used to say in the old Heinz Ketchup commercials, "The best things come to those who wait."
After you have gotten up and got a cup of coffee, watched some TV, and went to the mail box to check for a new issue of 2600, you can now come back to your computer. When you do, you will find yourself a large dump file that in most cases will be a few gigs.
What do you do with this file?
Well, you run it through a good forensic tool called Foremost to get all the goodies out.
Foremost will scan through the dump file and look for files based on their headers, footers, and internal data structures. This is basically what data recovery tools such as PhotoRec do when searching for deleted files on your hard drive.
This process is called data carving. Foremost can find many common file types.
Some, but not all, include: EXE, JPEG, HTML, DOC, XLS, WAVE, AVI, MPEG, MOV, and MP3 files.
According to the website, Formost will not only work on DMP files created by Win32dd, but it will also work on standard image files that are created with dd from a device such as a hard drive or flash drive.
Foremost is also free and open-source.
If you want you can download the Foremost source code from foremost.sourceforge.net. If you do you will need to compile it yourself.
If you are a Linux user such as myself, Foremost is most likely already in your repositories and can be installed with a simple sudo aptitude install foremost at the command line. At this point either copy the dump file to a flash drive or boot into Linux on the same machine with Live CD or using a duel-booted system.
Foremost is a command line tool.
Open up your terminal of choice and navigate to the folder where you stored the dump file. Foremost has a few switches that do different things.
Today we are going to look at the -t switch. This switch will specify to Foremost what file type you are looking for in the dump file.
For example, foremost -t jpeg myfile.dmp, will search through the dump file and save anything that it thinks might be a JPEG file to a sub folder labeled output/jpeg.
If you want Foremost to dump every file it sees use the command: foremost -t all myfile.dmp
Foremost will make a folder for each file type it finds.
As you look through the files Foremost creates keep in mind that some files may not be complete. Just as when you are saving files to your hard drive you are writing over data that is not being used.
You load data to RAM by opening a program, but when you close the program that data may stay in RAM until it is overwritten or the power is cut.
Some files may get partially written over leaving half a JPEG image or a corrupt MPEG file. This is the same thing that happens to some files that you may recover with PhotoRec.
There will be a lot to go through. Much of it may not be interesting. But, if you take the time to go through it you will find that you could learn a lot about your computer and how it works.
You will also have access to media such as videos, icons, images, and sounds that may become useful to you in projects you may be working on.
Proprietary software designers also work really hard to hide things from the end user.
They zip things up in proprietary files formats while they are on your hard drive. But, many of these things they hide from the end user have to be unzipped at some point for the program to access them.
Many times these items can be found while the program is loaded into RAM. I don't know about you, but I feel that if it's my computer, no one should be hiding anything from me.
The only way you can truly have control over your computer is to know the ins and outs of what makes it work.
So, dig and search. Information was meant to be free.
The only way we can grow and technology can move forward is to learn and understand how things work now, so we can improve them for the future.
Thanks to Canola for your help.