In this article, we’ll break down how you can create a .raw memory dump using Volatility.
What is taking a memory dump?
Taking a memory dump is the process of taking all information contained in RAM and writing it to a storage drive. The format of a raw memory dump is .raw and can be produced using Volatility.
How to Create a RAW Memory Dump with Volatility
First thing we will do is that we’ll run the malware in a suitable VM. I prefer Windows 7 because it is easy to work with while creating a memory dump.
Once your system is infected, take a snapshot. Move to the directory where the snapshot is created and now we’ll be using a tool called vmss2core which can be found here.
Suspend the machine. This will create a suspended state image of the VM with an extension of .vmss. Head over to the directory of the VM.
Step 1: Use the following command to create a memory.dmp file:
vmss2core-sb-8456865.exe -W file.vmss file.vmem
Once you are done you will see something like this –
Now once you are done with writing core, you’ll see a file named memory.dmp.
Now here we’ll be using volatility in order to find out the profile for which .vmem is created.
I am using
Win7SP1x64 as it is a suggested profile. The command for creating the .raw file using a specific profile is:
volatility -f memory.dmp --profile=Win7SP1x64 imagecopy -O jigsaw.raw
This way we can create our jigsaw.raw file.
For any further queries, you can drop a message on Twitter.