/dev/mem for Windows, and other bits of memory goodness.

Can "good old cgywin dd" and dcfldd access \.\\Device\PhysicalMemory? It appears that they can.

I was reading posts by Harlan Carvey and Andreas Schuster about new tools for imaging the Physical Memory in Windows this week. Some interesting stuff there. Then I stumbled across an article in Forensic Magazine by Kevin Mandia and Kris Harms, which said in part that \device\PhysicalMemory could be imaged with DCFLDD. I tried the string in the article:
DCFLDD if=\\.\PhysicalMemory of=AnyExternalDevice conv=sync,noerror and I got a big handful of fail for my efforts.

I assumed that someone else had tried this and a little googling turned up this string at forensic focus, as well as a post by on with Windows Incident Response blog that mentioned it (how did I miss that post and why can't I find it now?).

I used the /dev/mem substitution for dcfldd on an XP SP2 box and it seemed to work.

So what I'd learned so far:

1. The Mandia article has incorrect syntax.
2. You can use dcfldd to image something from /dev/mem.

It didn't seem like anyone had figured out what dcfldd was imaging though.

My next thought was, "If dcfldd can image the mysterious /dev/mem, could good old cygwin can access it?" It appears that it can.

According to these posts on the cgywin developer's list, the cygwin grabs \device\PhysicalMemory using cygwin's /dev/mem, in a manner consistent with *nix systems.

I decided to conduct a quick experiment on each. I acquired a sample of physical memory from a XP pro SP2 box:


06/20/2008 09:21 AM 1,064,648,704 dd.img
06/20/2008 09:17 AM 1,064,685,568 win32.dump
06/27/2008 11:49 AM 1,064,685,568 mdd.img
06/20/2008 09:09 AM 1,064,697,856 dcfldd.img

The same command was used for both dcfldd and dd ((DCFL)DD if=/dev/mem of=.\outfile.img conv=sync,noerror

Nothing earth shattering here, but note the file sizes.