How to Export/Parse files from memory.dmp?

My computer got bluescreen, and saved all info to a memory file before restart. I have memory.dmp, and i have some very important files that i didnt save.

All the files I need to recover were txt files, which i opened notepad and I didnt save them, once my computer crashed, I lost them. All were plain text.

I have looked to programs like windbg but couldnt find a proper solution. I start to think that memory.dmp file doesnt have the raw data, it just have logs in it?

Please show me a way to recover my unsaved files from Memory.dmp

I am using windows vista.

met.in

Posted 2011-04-13T20:26:39.433

Reputation: 11

Answers

Well. This is an interesting exercise. If I were you, probably I would read byte by byte (not the whole file) of the memory dump and encode them to ASCII.

This for sure is not the "elegant" solution you would expect and it is going to take some time to go over that output, but you should be able to recognize parts of your texts, and with a little of luck, put them together again.

David Urbina

Posted 2011-04-13T20:26:39.433

Reputation: 21

The problem is that the memory dump doesn't contain the needed data in one single place. This is because of how applications works. They allocate memory partially, not the complete block on one time, this is why the data stored in RAM can be in different places of RAM, not in one chunk as it saves it on hard drive.

So, for restoring files you should probably check the whole files and taking by parts the lost data... Rewriting it from scratch can be a lot easier.

Evengard

Posted 2011-04-13T20:26:39.433

Reputation: 1 500

Yes i know it is seperated chunk by chunk. And the addressing is not linear. I would need a way to restore those data. Any recommendations? – met.in – 2011-04-13T21:19:21.820

1As the other answerer (TheCompWiz) stated, there is a chance that the file doesn't contain the needed data (if it contains, it should be the same size as your used RAM when BSoD happened). If it is a full RAM dump, still, there is no "system" on how the data is stored - in the worst case each character is in their own place. Try to search some words which you remember were inside the file - maybe you will be lucky enough to restore parts of the text. – Evengard – 2011-04-13T21:23:50.517

The size of the file is exactly same as my ram. Which tool do you recommend me to search a 2gb file? – met.in – 2011-04-13T21:40:33.943

Try some kind of hex editor, for example notepad++ with hex plugin, or far, or whatever (google them). Try both ascii and unicode search. – Evengard – 2011-04-13T21:45:17.823

notepad++ didnt work out as the file size is huge. i tried to open with wordpad and it really didnt load since hte file is exaclty same with my ram. Any solution ? – met.in – 2011-04-15T06:33:25.667

Try another hex editor. Choose one from here: http://en.wikipedia.org/wiki/Comparison_of_hex_editors

– Evengard – 2011-04-15T08:56:11.040

Use LTFViewr and search through the .dmp file. I don't know if it can find anything.

But at least it can search through the whole file. It will take a while.

AssemTim

Posted 2011-04-13T20:26:39.433

Reputation: 11

First, you're going to spend 10x longer than it would take to re-type them trying to recover whatever files you were working on.

Second, the "files" in question will not exist as "files" in memory. It will simply exist as allocated blocks of memory (probably fragmented into several locations), and may not even slightly resemble the end-result you remember looking at.

Third, the memory.dmp file typically only contains the memory allocated to the faulting thread. If it wasn't your editor that crashed, then the memory.dmp probably doesn't contain anything useful to you. It's highly unlikely that "notepad" was the thread that crashed... and even if it was, you would only recover that one instance of notepad.

I wish I didn't sound like a jerk for saying this... but that is EXACTLY why you should save frequently.

TheCompWiz

Posted 2011-04-13T20:26:39.433

Reputation: 9 161

1I really believe that the file contains all the necessary files i need to recover. Since the file size is near to my memory capacity. Also, i consume the memory (generally 90%) . And i am sure that the file is not notepad that crashed my computer. So which editor i should use or how i can be sure that those files are not in my hdd? I am sure what i have written into txt files are somehow in plaintext. So I might search the ram? (After i convert some plaintext i remember to hex data) – met.in – 2011-04-13T21:22:10.893