Difference between pages "Tools:Data Recovery" and "Tools:Memory Imaging"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Data Recovery)
 
(Unix)
 
Line 1: Line 1:
= Partition Recovery =
+
The [[physical memory]] of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between [[operating systems]], these tools are listed by operating system. Once memory has been imaged, it is subjected to [[memory analysis]] to ascertain the state of the system, extract artifacts, and so on.
  
*[http://www.stellarinfo.com/recover-windows-nt.htm NTFS Partition Recovery]
+
One of the most vexing problems for memory imaging is verifying that the image has been created correctly. That is, verifying that it reflects the actual contents of memory at the time of its creation. Because the contents of memory are constantly changing on a running system, the process can be repeated but the results will never--to a high degree of probability--be the same. Thus, repeating the acquisition and comparing the results is not a feasible means of validating correct image creation.  [[Memory analysis]] can reveal whether the image's contents are consistent with the known layout and structure of a given operating system, as well as answering other questions, but it cannot answer the question as to whether the image accurately reflects the system from which it was taken at the time it was taken.
: Stellar NTFS Data Recovery Software to recover data from Windows based NTFS/NTFS5 file systems
+
  
*[http://www.infinadyne.com/cddvd_diagnostic.html CD/DVD Diagnostic]
+
== Memory Imaging Techniques ==
: Recover data and video from CDs/DVDs/Blu-Ray.  This is specifically not for forensic purposes but for data recovery.  A different tool called CD/DVD Inspector is for forensic examination of optical media.
+
  
*[http://www.ptdd.com/index.htm Partition Table Doctor]
+
; Crash Dumps
: Recover deleted or lost partitions (FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP).
+
: When configured to create a full memory dump, [[Windows]] operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. [[Andreas Schuster]] has a [http://computer.forensikblog.de/en/2005/10/acquisition_2_crashdump.html blog post] describing this technique.
 +
; LiveKd Dumps
 +
: The [[Sysinternals]] tool [http://www.microsoft.com/technet/sysinternals/SystemInformation/LiveKd.mspx LiveKd] can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
 +
; Hibernation Files
 +
: [[Windows]] 98, 2000, XP, 2003, and Vista support a feature called [[hibernation]] that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of [[physical memory]], is written to the disk on the system drive, usually C:, as [[hiberfil.sys]]. This file can be parsed and decompressed to obtain the memory image. Once [[hiberfil.sys]] has been obtained, [http://sandman.msuiche.net/ Sandman] can be used to convert it to a dd image.
 +
: [[Mac OS X]] very kindly creates a file called '''/var/vm/sleepimage''' on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on [[File Vault]] and enables Secure Virtual Memory. [http://pc-eye.blogspot.com/2008/08/live-memory-dump-on-mac-laptops.html].
 +
; Firewire
 +
: It is possible for [[Firewire]] or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
 +
: At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.
 +
: This technique has been turned into a tool that you can download from:  http://www.storm.net.nz/projects/16
 +
: Goldfish is a tool that is being developed to get RAM from a Mac. Contact cybercrime.com.
  
*[http://www.diskinternals.com/ntfs-recovery/ NTFS Recovery]
+
== Memory Imaging Tools ==
: DiskInternals NTFS Recovery is a fully automatic utility that recovers data from damaged or formatted disks.
+
===x86 Hardware===
 +
; Tribble PCI Card (research project)
 +
: http://www.digital-evidence.org/papers/tribble-preprint.pdf
  
*[http://www.stud.uni-hannover.de/user/76201/gpart/ gpart]
+
; CoPilot by Komoku
: Gpart is a tool which tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
+
: Komoku was acquired by Microsoft and the card was not made publicly available.
  
*[http://www.cgsecurity.org/wiki/TestDisk TestDisk]
+
; Forensic RAM Extraction Device (FRED) by BBN
: [[TestDisk]] is an OpenSource software and is licensed under the GNU Public License (GPL).
+
: Not publicly available. http://www.ir.bbn.com/~vkawadia/
  
*[http://www.stellarinfo.com/partition-recovery.htm Partition Recovery Software]
+
===[[Windows]] Software===
: Partition Recovery software for NTFS & FAT system that examines lost windows partition of damaged and corrupted hard drive.
+
; winen.exe (Guidance Software - included with Encase 6.11 and higher)
 +
: included on [http://www.e-fense.com/helix/ Helix 2.0]
 +
: http://forensiczone.blogspot.com/2008/06/winenexe-ram-imaging-tool-included-in.html
  
== See Also ==
+
; [[WinDD]]
 +
: included on [http://www.e-fense.com/helix/ Helix 2.0]
 +
: http://windd.msuiche.net/
 +
: http://www.msuiche.net/2008/06/14/capture-memory-under-win2k3-or-vista-with-win32dd/
  
* [http://support.microsoft.com/?kbid=166997 Using Norton Disk Edit to Backup Your Master Boot Record]
+
; [[Mdd]] (Memory DD) ([[ManTech]])
 +
: included on [http://www.e-fense.com/helix/ Helix 2.0]
 +
: http://sourceforge.net/projects/mdd
  
== Notes ==
+
; F-Response with FTK imager, dd, Encase, WinHex, etc
 +
: Beta 2.03 provides remote access to memory that can be acquired using practically any standard imaging tool
 +
: http://www.f-response.com/index.php?option=com_content&task=view&id=79&Itemid=2
  
* "fdisk /mbr" restores the boot code in the [[Master Boot Record]], but not the partition itself. On newer versions of Windows you should use fixmbr, bootrec, mbrfix, or [[MBRWizard]]. You can also extract a copy of the specific standard MBR code from tools like bootrec.exe and diskpart.exe in Windows (from various offsets) and copy it to disk with dd (Use bs=446 count=1). For Windows XP SP2 c:\%WINDIR%\System32\diskpart.exe the MBR code is found between offset 1b818h and 1ba17h.
+
; MANDIANT Memoryze
 +
: Can capture and analyze memory. Supports reading dumps (raw/dd format) from other tools.
 +
: http://www.mandiant.com/software/memoryze.htm
  
= Data Recovery =
+
; [[Kntdd]]
The term "Data Recovery" is frequently used to mean forensic recovery, but the term really should be used for recovering data from damaged media.  
+
: http://www.gmgsystemsinc.com/knttools/
  
* [http://www.cnwrecovery.com/  CnW Recovery]
+
; [[dd]]
: Data recovery sofware for all file and media types.  Recovers corrupted, formatted, repartitioned and deleted files. RAID option and tools for HP MediaVault.  Optional forensic logging.
+
: On [[Microsoft Windows]] systems, [[dd]] can be used by an Administrator user to image memory using the ''\Device\Physicalmemory'' object. Userland access to this object is denied starting in Windows 2003 Service Pack 1 and Windows Vista.
  
* [http://www.datarecoverytools4u.com/product/data-extractor-dfl-de/ DFL-DE Data Recovery Tool]
+
; Windows Memory Forensic Toolkit (WMFT)
: Imaging and file recovery from all hdd brands, common repairing seagate, samsung and wd hard drives.
+
: http://forensic.seccure.net/
 +
: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf
  
* [http://www.stellarinfo.com/ Stellar Data Recovery]
+
; Nigilant32
: Data recovery software services & tools to recover lost data from hard drive.
+
: http://www.agilerm.net/publications_4.html
  
* [http://www.datarecoverytools4u.com/ DDL Data Recovery Tools]
+
;[[HBGary]]: Fastdump and Fastdump Pro
: Advanced data recovery tools for recovering data from logically and physically damaged hard drives.
+
:http://www.hbgary.com
 +
:[[Fastdump]] (free with registration) Can acquire physical memory on Windows 2000 through Windows XP 32 bit but not Windows 2003 or Vista.
 +
:[[Fastdump Pro]] Can acquire physical memory on Windows 2000 through Windows 2008, all service packs.  Additionally, Fastdump Pro supports:
 +
:-32 bit and 64 bit architectures
 +
:-Acquisitions of greater than 4GB
 +
:-Fast acquisitions through the use of larger page sizes (1024KB) but also supports a strict mode that enforces 4KB page sizes.
 +
:-Process probing which allows for a more complete memory image of a process of interest.
 +
:-Acquisition of the system page file during physical memory acquisition.  This allows for a more complete memory analysis.
  
* [http://www.salvationdata.com/data-recovery-equipment/hd-doctor.htm HD Doctor Suite]
+
===Unix===
: HD Doctor Suite is a set of professional tools used to fix firmware problem
+
;[[dd]]
 +
: On Unix systems, the program [[dd]] can be used to capture the contents of [[physical memory]] using a device file (e.g. <tt>/dev/mem</tt> and <tt>/dev/kmem</tt>).  In recent Linux kernels, /dev/kmem is no longer available.  In even more recent kernels, /dev/mem has additional restrictions.  And in the most recent, /dev/mem is no longer available by default, either.  The throughout the 2.6 kernel series has been to reduce direct access to memory via pseudo-device files.  See, for example, the message accompanying this patch: http://lwn.net/Articles/267427/.
 +
;[http://www.pikewerks.com/sl/ Second Look]
 +
: This memory analysis product has the ability to acquire memory from Linux systems, either locally or from a remote target via DMA.
 +
; Idetect (Linux)
 +
: http://forensic.seccure.net/
 +
; fmem (Linux)
 +
fmem is kernel module, that creates device /dev/fmem, similar to /dev/mem but without limitations.
 +
This device (physical RAM) can be copied using dd or other tool.
 +
Works on 2.6 Linux kernels.
 +
Under GNU GPL.
 +
[http://hysteria.sk/~niekt0/foriana/fmem_current.tgz fmem]
  
* [http://www.datarecoverytools4u.com/product/dfl-data-dr-pro-usb-3-data-recovery-equipment/ DFL-Data Dr. Pro]
+
==See Also==
: One high-speed USB3.0 data recovery equipment for both good and faulty hard drives with image module, file recovery module and common hdd repair module.
+
* [[Windows Memory Analysis]]
 +
* http://blogs.23.nu/RedTeam/0000/00/antville-5201/
 +
* http://www.storm.net.nz/projects/16
 +
* http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf
  
*[http://www.salvationdata.com SalvationDATA]
+
== External Links ==
: Claims to have a program that can read the "bad blocks" of Maxtor drives with proprietary commands.
+
* [http://www.syngress.com/book_catalog/sample_159749156X.PDF  Windows Memory Analysis (Sample Chapter)]
  
*[http://www.toolsthatwork.com/bringback.htm BringBack]
+
[[Category:Tools]]
: BringBack offers easy to use, inexpensive, and highly successful data recovery for Windows and Linux (ext2) operating systems and digital images stored on memory cards, etc.
+
 
+
*[http://www.runtime.org/raid.htm RAID Reconstructor]
+
: Runtime Software's RAID Reconstructor will reconstruct RAID Level 0 (Striping) and RAID Level 5 drives.
+
 
+
* [http://www.e-rol.com/en/ e-ROL]
+
: Erol allows you to recover through the internet files erased by mistake. Recover your files online for free.
+
 
+
* [http://www.recuva.com/ Recuva]
+
: Recuva is a freeware Windows tool that will recover accidentally deleted files.
+
 
+
* [http://www.datarecoverytools4u.com/dfl-wdii-review/ DFL-WDII]
+
: DFL-WDII is one advanced WD HDD firmware repair hardware tool.
+
 
+
* [http://www.snapfiles.com/get/restoration.html Restoration]
+
: Restoration is a freeware Windows software that will allow you to recover deleted files
+
 
+
* [http://www.undelete-plus.com/ Undelete Plus]
+
: Undelete Plus is a free deleted file recovery tool that works for all versions of Windows (95-Vista), FAT12/16/32, NTFS and NTFS5 filesystems and can perform recovery on various solid state devices.
+
 
+
* [http://www.data-recovery-software.net/ R-Studio]
+
: R-Studio is a data recovery software suite that can recover files from FAT(12-32), NTFS, NTFS 5, HFS/HFS+, FFS, UFS/UFS2 (*BSD, Solaris), Ext2/Ext3 (Linux) and so on.
+
 
+
* [http://www.deepspar.com/ DeepSpar Disk Imager]
+
: DeepSpar Disk Imager is a dedicated disk imaging device built to handle disk-level problems and to recover bad sectors on a hard drive.
+
 
+
* [http://digital-assembly.com/products/adroit-photo-recovery/ Adroit Photo Recovery]
+
: Adroit Photo Recovery is a photo recovery tool that uses validated carving and is able to recover fragmented photos. Adroit Photo Recovery is able
+
: to recover high definition RAW images from Canon, Nikon etc.
+
 
+
* [http://sourceforge.net/projects/freerecover/ FreeRecover]
+
: FreeRecover is a small program that can recover deleted files from NTFS drives.
+
 
+
See also [[Data Recovery Stories]]
+
 
+
=Carving=
+
 
+
*[http://www.digitalforensics.at/wordpress/?page_id=162&lang=en Multimedia File Carver]
+
: File carver that is specialized on the recovery of digital movies. Recovery is possible from fragmented files. Current status of this (open-source) program is a proof-of-concept that is suitable for smaller images. In the future much more improved performance can be expected. Further this carver will be extended to support the recovery of fragmented digital images.
+
 
+
*[http://www.cnwrecovery.com/ CnW Recovery]
+
: Data carving tools and will recover most know file types.  For some formats the files are verified and intelligent names added based on file metadata.  Several video formats can be reconstructed from isolated fragments.
+
 
+
*[http://www.datalifter.com/products.htm DataLifter® - File Extractor Pro]
+
: Data carving runs on multiple threads to make use of modern processors
+
 
+
* [http://sourceforge.net/projects/defraser/ NFI Defraser]
+
: "Defraser is a forensic analysis application that can be used to detect full and partial multimedia files in datastreams. It is typically used to find (and restore) complete or partial video files in datastreams (for instance, unallocated diskspace)." Written in C#; runs on Windows.
+
 
+
*[http://www.simplecarver.com/ Simple Carver Suite]
+
: Simple Carver Suite is a collection of unique tools designed for a number of purposes including data recovery, forensic computing and eDiscovery. The suite was originally designed for data recovery and has since expanded to include unique file decoding, file identification and file classification.
+
 
+
*[http://foremost.sourceforge.net/ Foremost]
+
: Foremost is a console program to recover files based on their headers, footers, and internal data structures.
+
 
+
*[http://www.digitalforensicssolutions.com/Scalpel/ Scalpel]
+
: Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions.
+
 
+
*[[EnCase]]
+
: EnCase comes with some enScripts that will do carving.
+
 
+
*[[CarvFs]]
+
: A virtual file system (fuse) implementation that can provide carving tools with the possibility to do recursive multi tool zero-storage carving (also called in-place carving). Patches and scripts for scalpel and foremost are provided. Works on raw and encase images.
+
 
+
*[[LibCarvPath]]
+
: A shared library that allows carving tools to use zero-storage carving on carvfs virtual files.
+
 
+
*[http://greg-kennedy.com/nwserver/?p=10 midi-carver]
+
: midi-carver is a data carver for MIDI files.
+
 
+
*[http://www.cgsecurity.org/wiki/PhotoRec PhotoRec]
+
: PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from Hard Disks and CDRom and lost pictures (thus, its 'Photo Recovery' name) from digital camera memory.
+
 
+
*[http://www.datarescue.com/photorescue/ PhotoRescue]
+
: Datarescue PhotoRescue Advanced is picture and photo data recovery solution made by the creators of IDA Pro. PhotoRescue will undelete, unerase and recover pictures and files lost on corrupted, erased or damaged compact flash (CF) cards, SD Cards, Memory Sticks, SmartMedia and XD cards.
+
 
+
* [http://sourceforge.net/projects/revit/ ReviveIt]
+
: Revive It (RevIt) is an experimental carving tool, initially developed for the DFRWS 2006 carving challenge. It uses 'file structure based carving'. Note that RevIt currently is a work in progress.
+
 
+
* [http://jbj.rapanden.dk/magicrescue/ Magic Rescue]
+
: Magic Rescue is a file carving tool that uses "magic bytes" in a file contents to recover data.
+
 
+
* [[FTK]]
+
: FTK2 includes some file carvers
+
 
+
* [[X-Ways]]
+
: X-Ways Forensic provides a robust list of file types as well as the ability to specific custom file headers/trailers.  File types are available for carving, identification and filtering.
+
 
+
*[[Adroit Photo Forensics]]
+
: Adroit Photo Forensics supports data carving of popular image formats. Also supports fragmented carving using [[File_Carving:SmartCarving|SmartCarving]] and [[File_Carving:GuidedCarving|GuidedCarving]].
+
 
+
*[http://belkasoft.com/bfc/en/forensic_carver.asp Belkasoft Forensic Carver], [http://belkasoft.com/bec/en/evidence_center.asp Belkasoft Evidence Center]
+
: Belkasoft Forensic Carver and Belkasoft Evidence Center support data carving for Instant Messenger and Browser artifacts. These tools support carving of physical or logical Windows drives as well as popular forensic image formats like Encase Evidence Files, DD or SMART.
+

Revision as of 18:07, 7 December 2009

The physical memory of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between operating systems, these tools are listed by operating system. Once memory has been imaged, it is subjected to memory analysis to ascertain the state of the system, extract artifacts, and so on.

One of the most vexing problems for memory imaging is verifying that the image has been created correctly. That is, verifying that it reflects the actual contents of memory at the time of its creation. Because the contents of memory are constantly changing on a running system, the process can be repeated but the results will never--to a high degree of probability--be the same. Thus, repeating the acquisition and comparing the results is not a feasible means of validating correct image creation. Memory analysis can reveal whether the image's contents are consistent with the known layout and structure of a given operating system, as well as answering other questions, but it cannot answer the question as to whether the image accurately reflects the system from which it was taken at the time it was taken.

Contents

Memory Imaging Techniques

Crash Dumps
When configured to create a full memory dump, Windows operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. Andreas Schuster has a blog post describing this technique.
LiveKd Dumps
The Sysinternals tool LiveKd can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
Hibernation Files
Windows 98, 2000, XP, 2003, and Vista support a feature called hibernation that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of physical memory, is written to the disk on the system drive, usually C:, as hiberfil.sys. This file can be parsed and decompressed to obtain the memory image. Once hiberfil.sys has been obtained, Sandman can be used to convert it to a dd image.
Mac OS X very kindly creates a file called /var/vm/sleepimage on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on File Vault and enables Secure Virtual Memory. [1].
Firewire
It is possible for Firewire or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
At CanSec West 05, Michael Becher, Maximillian Dornseif, and Christian N. Klein discussed an exploit which uses DMA to read arbitrary memory locations of a firewire-enabled system. The paper lists more details. The exploit is run on an iPod running Linux. This can be used to grab screen contents.
This technique has been turned into a tool that you can download from: http://www.storm.net.nz/projects/16
Goldfish is a tool that is being developed to get RAM from a Mac. Contact cybercrime.com.

Memory Imaging Tools

x86 Hardware

Tribble PCI Card (research project)
http://www.digital-evidence.org/papers/tribble-preprint.pdf
CoPilot by Komoku
Komoku was acquired by Microsoft and the card was not made publicly available.
Forensic RAM Extraction Device (FRED) by BBN
Not publicly available. http://www.ir.bbn.com/~vkawadia/

Windows Software

winen.exe (Guidance Software - included with Encase 6.11 and higher)
included on Helix 2.0
http://forensiczone.blogspot.com/2008/06/winenexe-ram-imaging-tool-included-in.html
WinDD
included on Helix 2.0
http://windd.msuiche.net/
http://www.msuiche.net/2008/06/14/capture-memory-under-win2k3-or-vista-with-win32dd/
Mdd (Memory DD) (ManTech)
included on Helix 2.0
http://sourceforge.net/projects/mdd
F-Response with FTK imager, dd, Encase, WinHex, etc
Beta 2.03 provides remote access to memory that can be acquired using practically any standard imaging tool
http://www.f-response.com/index.php?option=com_content&task=view&id=79&Itemid=2
MANDIANT Memoryze
Can capture and analyze memory. Supports reading dumps (raw/dd format) from other tools.
http://www.mandiant.com/software/memoryze.htm
Kntdd
http://www.gmgsystemsinc.com/knttools/
dd
On Microsoft Windows systems, dd can be used by an Administrator user to image memory using the \Device\Physicalmemory object. Userland access to this object is denied starting in Windows 2003 Service Pack 1 and Windows Vista.
Windows Memory Forensic Toolkit (WMFT)
http://forensic.seccure.net/
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf
Nigilant32
http://www.agilerm.net/publications_4.html
HBGary
Fastdump and Fastdump Pro
http://www.hbgary.com
Fastdump (free with registration) Can acquire physical memory on Windows 2000 through Windows XP 32 bit but not Windows 2003 or Vista.
Fastdump Pro Can acquire physical memory on Windows 2000 through Windows 2008, all service packs. Additionally, Fastdump Pro supports:
-32 bit and 64 bit architectures
-Acquisitions of greater than 4GB
-Fast acquisitions through the use of larger page sizes (1024KB) but also supports a strict mode that enforces 4KB page sizes.
-Process probing which allows for a more complete memory image of a process of interest.
-Acquisition of the system page file during physical memory acquisition. This allows for a more complete memory analysis.

Unix

dd
On Unix systems, the program dd can be used to capture the contents of physical memory using a device file (e.g. /dev/mem and /dev/kmem). In recent Linux kernels, /dev/kmem is no longer available. In even more recent kernels, /dev/mem has additional restrictions. And in the most recent, /dev/mem is no longer available by default, either. The throughout the 2.6 kernel series has been to reduce direct access to memory via pseudo-device files. See, for example, the message accompanying this patch: http://lwn.net/Articles/267427/.
Second Look
This memory analysis product has the ability to acquire memory from Linux systems, either locally or from a remote target via DMA.
Idetect (Linux)
http://forensic.seccure.net/
fmem (Linux)

fmem is kernel module, that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL. fmem

See Also

External Links