ATTENTION: The new home of the Digital Forensics Wiki is at Yeah, it's a silly name, but it was cheap.
This wiki will be going offline permanently in the near future. An exact date will be announced soon. Thank you for being a part of this community.
If you wish to work on the new forensicswiki, please join the Google Group forensicswiki-reborn

Difference between revisions of "Memory Imaging"

From ForensicsWiki
Jump to: navigation, search
(External Links)
Line 22: Line 22:
== External Links ==
== External Links ==
* [ Wikipedia article on Memory-mapped I/O]
* [ Wikipedia article on Memory-mapped I/O]
* [ All memory dumping tools are not the same], by Brian Moran, January 14, 2014
[[Category:Memory Analysis]]
[[Category:Memory Analysis]]

Revision as of 19:59, 14 January 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to Disk Imaging.

For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O

The resulting copy is stored in a Forensics image format. Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.


Reading from the Physical Memory Object

In Windows the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [1]. A kernel-mode process is still allowed to read from this device-object.


The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [2].

Also see

Memory Imaging Tools

External Links