I dumped the RAM of a Windows 7 pc using LiveKd which basicly worked. The memory was dumped but then the convert of the binary dump into "summary format" failed. When I then tried to read the file using volatility it tells me there is no suitable address space mapping which is logical. Is there a way to convert the raw memory dump into a format that is recognized by volatility?
Asked
Active
Viewed 1.3k times
5
davidb
- 4,285
- 3
- 19
- 31
1 Answers
3
By default, LiveKD acquires a kernel memory dump that appears as a crash dump file, not a complete raw dump of the contents of RAM. Volatility requires a complete memory dump. I recommend any of these tools for Windows memory imaging. The goal of LiveKD is for debugging, not forensic analysis (KD = kernel debugging). It's an alternative to having to use WinDbg and KD via a serial connection to debug the kernel 'live' (and the system doesn't have to be booted in debug mode). LiveKD fools the debuggers into thinking that they are looking at a crash dump file by implementing a file system filter driver that presents a 'virtual' crash dump file that debuggers can open.
With that said, the dump from LiveKD technically may contain a complete dump of RAM if the correct options were given to it but with a header preceding it so that debuggers recognize the file format as a crash dump file. A crash dump file is simply a file header followed by the contents of physical memory, so that the driver can satisfy reads of the virtual dump file with the contents of physical memory, which the driver can easily read from the \Device\Physical Memory section object the memory manager creates.
In the book The Art of Memory Forensics written by the creators of Volatility, they discuss the structure of Windows crash dumps on pp. 96-98, explaining that "the Windows crash dump file format was designed for debugging purposes" and that they begin with either a _DMP_HEADER or _DMP_HEADER64 structure (p. 96). The authors clarify that only complete memory dumps are compatible with Volatility, not kernel memory dumps nor small dumps (here is a MS TechNet blog entry that explains the difference).
I personally use the 010 Hex Editor for many forensic parsing tasks involving binary data, and it has a pre-made template for parsing 32-bit crash dumps. See the Volatility documentation for further information about the crash dump header formats.
Dan
- 155
- 8