----- Original Message ----- > Hi , > > > recently, some forensic research suggested that utilizing Crash > utility as independent solution to parse Linux memory dump in order to > extract forensic artifacts. but in real forensic cases where there is > need for minimizing the footprint on the comprised system, the > forensic analyst would perform only one action, which is physical > memory capture to minimize the footprint with dd. I just wonder if > there any chance that Crach utility would support dd image. > > Thanks, > Amer Certainly there is no support for such a raw dumpfile format. But I don't really understand what you mean by saying that the use of dd "would minimize the footprint"? I presume that you are asking whether you could do something like this on a live system?: $ dd if=/dev/mem of=memory-image $ crash vmlinux memory-image Theoretically it could be done, presuming that the read_mem() function in the /dev/mem driver would never fail until it reached the end of physical memory, i.e., would create an exact page-by-page copy of all physical pages from 0 to the end of physical memory. But if that's the case, and you can run crash on the system that you want to dump, try the "snap.so" extension module that comes with the crash utility source package. It creates a dumpfile while running on a live system, in an ELF format that crash understands. Dave -- Crash-utility mailing list Crash-utility@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/crash-utility
