intrigeri wrote (06 Nov 2011 00:06:35 GMT) :
>> 2. Instead of grep:ing /dev/mem directly in both steps 2 and 3, do this:
>> dd if=/dev/mem of=$DUMP bs=1K count=$RAM_SIZE_IN_KB oflag=direct
> I think I'll use memdump [1] instead (in Debian), which probably
> removes the need to build an obsolete Lenny system for forensics.
Seems like it does not. memdump reads /dev/mem directly, so it is
affected by memory protections as much as dd or grep.
The main advantage memdump is supposed to bring is its ability to skip
over holes in memory maps.
> Running the test in a VM, and inspecting the VM memory from the host
> system, should also work.
Going to try this.
Cheers,
--
intrigeri <intrigeri@???>
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
| Then we'll come from the shadows.