[Crash-utility] DD image
takuo.koguchi.sw at hitachi.com
takuo.koguchi.sw at hitachi.com
Wed Apr 13 15:48:00 UTC 2011
Hi Dave,
Crash utility support for such a raw dumpfile would be really useful for some embedded devices.
Such device typically have no storage resource to write the dumpfile in the supported format, but another CPU on the system can take out the physical memory contents to a connected debugger PC. In this case, only raw dumpfile is available since the latter CPU do not have the knowledge of the crashed kernel.
Writing a small utility which converts a raw dump to one of the supported format might be an idea. But it probably requires the information from vmlinux.
So it seems natural to me that crash utility should support raw dumpfile by itself.
Best Regard,
Takuo Koguchi
>
>----- Original Message -----
>> Hi ,
>>
>>
>> recently, some forensic research suggested that utilizing Crash
>> utility as independent solution to parse Linux memory dump in order to
>> extract forensic artifacts. but in real forensic cases where there is
>> need for minimizing the footprint on the comprised system, the
>> forensic analyst would perform only one action, which is physical
>> memory capture to minimize the footprint with dd. I just wonder if
>> there any chance that Crach utility would support dd image.
>>
>> Thanks,
>> Amer
>
>Certainly there is no support for such a raw dumpfile format.
>
>But I don't really understand what you mean by saying that the
>use of dd "would minimize the footprint"? I presume that you
>are asking whether you could do something like this on a live
>system?:
>
> $ dd if=/dev/mem of=memory-image
> $ crash vmlinux memory-image
>
>Theoretically it could be done, presuming that the read_mem()
>function in the /dev/mem driver would never fail until it reached
>the end of physical memory, i.e., would create an exact page-by-page
>copy of all physical pages from 0 to the end of physical memory.
>
>But if that's the case, and you can run crash on the system that
>you want to dump, try the "snap.so" extension module that comes
>with the crash utility source package. It creates a dumpfile
>while running on a live system, in an ELF format that crash
>understands.
>
>Dave
>
>--
>Crash-utility mailing list
>Crash-utility at redhat.com
>https://www.redhat.com/mailman/listinfo/crash-utility
>
More information about the Crash-utility
mailing list