Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to Disk Imaging.
For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O
The resulting copy is stored in a Forensics image format. Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.
Reading from the Physical Memory Object
In Windows the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted . A kernel-mode process is still allowed to read from this device-object.
The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space .
- Wikipedia article on Memory-mapped I/O
- Anti-forensic resilient memory acquisition, by Johannes Stuettgen, Michael Cohen, August 2013
- 64bit Big Sized RAM Image Acquisition Problem, by Takahiro haruyama, January 7, 2014
- All memory dumping tools are not the same, by Brian Moran, January 14, 2014
- Robust Linux memory acquisition with minimal target impact, Johannes Stüttgena Michael Cohen, May 2014