Difference between revisions of "Memory Imaging"

From ForensicsWiki
Jump to: navigation, search
(Created page with "{{expand}} Memory imaging is the process of making a bit-by-bit copy of memory, it is similar to Disk Imaging.")
 
(MmMapIoSpace)
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
  
Memory imaging is the process of making a bit-by-bit copy of memory, it is similar to [[Disk Imaging]].
+
Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to [[Disk Imaging]].
 +
 
 +
For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O
 +
 
 +
The resulting copy is stored in a [[:Category:Forensics_File_Formats|Forensics image format]].
 +
Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.
 +
 
 +
== Methods ==
 +
 
 +
=== Reading from the Physical Memory Object ===
 +
In [[Windows]] the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [http://technet.microsoft.com/en-en/library/cc787565(v=ws.10).aspx]. A kernel-mode process is still allowed to read from this device-object.
 +
 
 +
=== MmMapIoSpace ===
 +
 
 +
The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [http://msdn.microsoft.com/en-us/library/windows/hardware/ff554618(v=vs.85).aspx].
 +
 
 +
== Also see ==
 +
[[:Tools:Memory_Imaging|Memory Imaging Tools]]
 +
 
 +
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Memory-mapped_I/O Wikipedia article on Memory-mapped I/O]
 +
 
 +
[[Category:Memory Analysis]]

Revision as of 07:24, 27 July 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to Disk Imaging.

For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O

The resulting copy is stored in a Forensics image format. Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.

Methods

Reading from the Physical Memory Object

In Windows the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [1]. A kernel-mode process is still allowed to read from this device-object.

MmMapIoSpace

The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [2].

Also see

Memory Imaging Tools

External Links