Memory Dump Formats

by Chirath De Alwis

As in other storage devices, volatile memory also has several formats. According to the acquisition method that is in use, the captured file format can be vary. According to (Ligh et al, 2018) the most commonly used memory dump formats are:

  • RAW memory dump.
  • Windows crash dump.
  • Windows hibernation files.
  • Expert witness format (EWF).
  • HPAK format.

RAW Memory Dump

Raw memory dump is the most commonly used memory dump format by modern analysis tools. According to (Ligh et al, 2018) these raw file formatted memory dumps do not contain headers, metadata, or magic values.

“The raw format typically includes padding for any memory ranges that were intentionally skipped (i.e., device memory) or that could not be read by the acquisition tool, which helps maintain spatial integrity (relative offsets among data)” (Ligh et al, 2018).

The figure shown below is the architecture of the RAW memory file.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Windows Crash Dump

According to Hameed’s podcast Understanding Crash Dump Files (2008) by default all windows operating systems are configured to capture information about the status of that computer in the event of computer crash. As mentioned by Ligh et al (2018) these crash dumps begin with _DMP_HEADER or _DMP_HEADER64 structure.

The above figure shows the architecture of the Windows full crash dump file. According to Microsoft, 2018 there are three different formats of memory dumps available in windows crash dump.

Those are:

Complete memory dump
According to Microsoft (2018) this memory dump is the largest kernel-mode memory dump file. This memory file contains everything that was in the physical memory. As mentioned in Microsoft (2018) this memory dump does not contain physical memory that is used by the platform firmware.

Kernel memory dump
According to Hameed’s podcast Understanding Crash Dump Files (2008) this kernel-mode memory dump contains all the contents that were used by the kernel at the time of capturing the memory. Since this file contains only the content that was used by the kernel this memory dump is significantly smaller than the complete memory dump. As mentioned by Microsoft (2018) these memory dumps do not include unallocated memory, or any memory allocated to user-mode applications and therefore it can narrow down the analysis.

Small memory dump
As you can tell from the name, this is the smallest memory dump files that can be created in windows crash dump. According to Microsoft (2018) these memory files contain:

  • The bug check message and parameters, as well as other blue-screen data.
  • The processor context (PRCB) for the processor that crashed.
  • The process information and kernel context (EPROCESS) for the process that crashed.
  • The thread information and kernel context (ETHREAD) for the thread that crashed.
  • The kernel-mode call stack for the thread that crashed. If this is longer than 16 KB, only the topmost 16 KB will be included.
  • A list of loaded drivers.

According to Ligh et al (2018), the following are the reasons that a crash dump can be created.

  • Blue Screens
  • CrashOnScrollControl
  • Debuggers

But not all the above methods are suitable for forensics.

Windows Hibernation File

According to Microsoft (2018) hibernation in computing is powering down a computer while retaining its state. Upon hibernation, the computer saves the contents of its random access memory (RAM) to a hard disk or other non-volatile storage and upon resumption; the computer is exactly as it was before entering hibernation.

When hibernate is enabled on the computer, a hibernated file is create under system folder with the content of full dump of the memory.

Expert Witness Format (EWF)

According to Ligh et al (2018) this is the format that Encase Forensics uses when acquiring a memory with EnCase software. Even though this format is used by this commercial software company, due to its popularity it has become one of the standardized file formats. Since this file format used by EnCase to analyze these memory files there are only a few tools available. As Ligh et al (2018) say, investigators should be familiar with the following methods of analyzing the EWF memory dumps.

  • “EWFAddressSpace” (Ligh et al, 2018)
  • “Mounting with EnCase” (Ligh et al, 2018)
  • “Mounting with FTK Imager” (Ligh et al, 2018)

HPAK Format

This is the file format that is used by the HBGary software cooperation. “HPAK allows a target system’s physical memory and page file(s) to embed in the same output file” (Ligh et al, 2018). This is a proprietary format therefore these memory files can only be created with HBGary tools.

References

  1. Ligh, M.H. et al. (2018). The Art of Memory Forensics. 1st Ed. United States of America: John Wiley & Sons.
  2. Microsoft. (2008), 11 Jan 18, Understanding Crash Dump Files. 08 Jan 08, http://blogs.technet.com/b/askperf/archive/2008/01/08/understanding-crash-dump-files.aspx.
  3. Microsoft Corporation. 2018. Complete Memory Dump. [ONLINE] Available at: http://msdn.microsoft.com/en-us/library/windows/hardware/ff539190%28v=vs.85%29.aspx.
  4. Microsoft Corporation. 2018. Small Memory Dump. [ONLINE] Available at: http://msdn.microsoft.com/en-us/library/windows/hardware/ff556895%28v=vs.85%29.aspx.

About The Author

Chirath De Alwis is an information security professional with more than four years’ experience in Information Security domain. He holds C|EH, C|HFI and Qualys Certified Security Specialist certifications and reading for his MSc specializing in Cyber Security. Currently, Chirath is involved in vulnerability management, incident handling and digital forensics activities in Sri Lankan cyberspace. You can contact him on chirathdealwis@gmail.com.

3 thoughts on “Memory Dump Formats”

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 27th March 2024 6:06 pm

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles