MemoryDump or crash dump is a storage space, where the system stores a memory backup, in case of a system failure. The system also creates a memorydump when it does not have enough memory for system operation. This backup enables users to examine the cause of the system crash and helps to know about any errors in the applications or in the operating system. In Windows systems it is also known as the blue screen of death (BSOD).
The core dump notifies about the system state, memory locations, application or program status, program counters etc. before the system failure. The system should reboot to be accessible after the memory dump. This memory also maintains a system log file for future reference.
The investigator can check the system for any memory dumps, in order to gather the system information available in them. This information can act as evidences if the malware has resulted in a system failure. Use tools such as DumpChk to analyze the memory dump in such cases.
Related Product : Computer Hacking Forensic Investigator | CHFI
Dumpchk
DumpChk (the Microsoft Crash Dump File Checker tool) is a program that performs a quick analysis of a crash dump file. This enables you to see summary information about what the dump file contains. If the dump file is corrupt in such a way that it cannot be opened by a debugger, DumpChk reveals the same to the investigator.
Syntax: DumpChk [-y SymbolPath] Dump File
Parameters: -y SymbolPath: SymbolPath specifies where DumpChk is to search for symbols. DumpFile: DumpFile specifies the crash dump file that is to be analyzed.
MemoryDump (Cont’d)
A memory dump file records information that helps to identify the reason of the unexpected system failure. It includes all the information regarding stop messages, the stopped processes, and a list of loaded drivers. It helps when the hard disk has limited space. The Dump Check utility helps to create and load the memorydump files. It should also be considered that memory clump errors such as the blue screen memory dump error can also occur due to hardware problems.
Various Memory Dump files include:
1. Automatic MemoryDump
Automatic memory dump is the default memory dump created in Windows 8 and Windows Server 2012 R2, in order to support the System Managed page file configuration. It contains same information as the Kernel memorydump, but allows the SMSS process to reduce the page file to a smaller size than that of the existing RAM.
2. Complete MemoryDump
A complete memory dump is a record of the complete contents of the physical memory or RAM in the computer at the time of the system crash. The complete memorydump will usually contain data from the processes that were running when the system collected the dump.
3. Kernel MemoryDump
Kernel memory dump is created by default in the %systemroot% folder as a memory dump fire whenever a machine has kernel faults. The kernel memory dump files created by Windows system are of intermediate size. They record only the kernel memory and the information regarding troubleshooting. Kernel memory dump size varies and contains only kernel mode read or write pages that exist in the physical memory at the time of system crash.
Also Read : Collecting Hidden Partition Information
4. Small MemoryDump
Small memory dump is a 64 KB dump containing the stop code and a list of ail the loaded drivers and parameters. It records information that assists in identifying the cause of the unexpected system crash. Small memorydump files are stored in the %systemroot% folder by default.
Note: If the user has set the path to store the kern& memorydump or small memorydump, the path is visible in the Dump file text box in the Startup and Recovery window.
Questions related to this topic
- How do I read system error memorydump files?
- How do I create a memorydump file?
- What is a kernel memorydump?
- How do I read a memorydump file?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com