ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Memory Imaging"

From ForensicsWiki
Jump to: navigation, search
(MmMapIoSpace)
Line 15: Line 15:
 
=== MmMapIoSpace ===
 
=== MmMapIoSpace ===
 
...
 
...
 +
 +
 +
The MmMapIoSpace function (or routine) is kernel [http://msdn.microsoft.com/en-us/library/windows/hardware/ff554618(v=vs.85).aspx]
  
 
== Also see ==
 
== Also see ==

Revision as of 11:22, 27 July 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to Disk Imaging.

For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O

The resulting copy is stored in a Forensics image format. Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.

Methods

Reading from the Physical Memory Object

In Windows the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [1]. A kernel-space process is still allowed to read from this device-object.

MmMapIoSpace

...


The MmMapIoSpace function (or routine) is kernel [2]

Also see

Memory Imaging Tools

External Links