Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
dudeking429215dI believe dump files are files you can read, not sure tho 🤔
iAmNaN747415dDoes anyone remember PEEK and POKE?
Root4808415dSecurity issues and reserved areas.
You may have root permissions, but your name isn't Colonel Desmond.
Think: passwords, encryption keys, the kernel, etc. are all stored in memory. Allowing arbitrary processes unfettered read access to memory is a gigantic security hole. Segfaults exist for a reason!
This used to be the case until people realized they don't want the sensitive info stored in certain memory locations to be accessible by any program they just so happen to run.
ddephor410215dWhat do you want to do with the raw memory?
A PC is not small microcontroller with direct memory access. We're talking about process memory, virtual memory, various caches, processors prefetching and out-of-order execution. All that affects the memory contents.
Without the state and information of the OS and the running processes, the raw memory content are just uninterpretable 0s and 1s.
I wish to find traces of running software, services etc. Whatever I can find.
Currently I can use LiME to get the memory dump and then use Volatility to achieve this task.
But if LiME is just reading RAM then why do I have to compile it every different distribution.
I suppose it could be because how memory is mapped or something but why does it matter to an acquisition tool?
It just needs to read and get the raw data right?
ddephor410215dI don't know lime, but I assume it processes and arranges the memory based on the current system state for an analysis. The raw memory content would be much harder to use.
Take a look at https://edn.com/design/..., this is just the cache architecture of an i7, and a lot of that is used mainly before main memory is even involved
Gogeta70291315dRam isn't so easy. You have things paged out to swap, and with virtual memory enabled, you can't access ram by physical address anymore. Essentially, you'd need to read the page tables to find out what virtual address maps to what physical address, etc. It's quite a process, and it requires ring 0 permissions.
Your Job Suck?
Take a quick quiz from Triplebyte to skip the job search hassles and jump to final interviews at hot tech firms
Get a Better Job