Create a .raw memory dump with Volatility

Volatility Memory Dump

In this article, we’ll break down how you can create a .raw memory dump using Volatility.

What is taking a memory dump?

Taking a memory dump is the process of taking all information contained in RAM and writing it to a storage drive. The format of a raw memory dump is .raw and can be produced using Volatility.

How to Create a RAW Memory Dump with Volatility

First thing we will do is that we’ll run the malware in a suitable VM. I prefer Windows 7 because it is easy to work with while creating a memory dump. 
Once your system is infected, take a snapshot. Move to the directory where the snapshot is created and now we’ll be using a tool called vmss2core which can be found here.

Suspend the machine. This will create a suspended state image of the VM with an extension of .vmss. Head over to the directory of the VM.

Step 1: Use the following command to create a memory.dmp file:

vmss2core-sb-8456865.exe -W file.vmss file.vmem

Once you are done you will see something like this –

Now once you are done with writing core, you’ll see a file named memory.dmp. 
Now here we’ll be using volatility in order to find out the profile for which .vmem is created.

I am using Win7SP1x64 as it is a suggested profile. The command for creating the .raw file using a specific profile is:

volatility -f memory.dmp --profile=Win7SP1x64 imagecopy -O jigsaw.raw

This way we can create our jigsaw.raw file.

For any further queries, you can drop a message on Twitter.


Leave a Reply

Your email address will not be published. Required fields are marked *