Daily IT pill

Is there any tool i n Linux to dump the system memory?

Yes, you can grab Linux Memory Grabber from GitHub instead of trying to read directly to /dev/mem or develop yourself a program. Keep in mind that is impossible to read all RAM and not modify at least a tiny part of it while doing so.

Foremost – tool to recover deleted data

To recover data in Linux a well known software is for instance TestDisk, however this time I will mention an alternative maybe not well known: Foremost: it is a utility released to public domain which was developed by the USA Air Force Office of Special Investigations and The Center for Information Systems Security Studies and Research. It is basically a data scavenger and forensic tool which – regardless of the relative file system – it will scan for specific file types, based on known headers, data structures and footers.

For instance you can scan for XLSX file types with the command below:

foremost -t zip -i /dev/sdb1 -o /restore

Here not only zip files will be scanned to but also jar ones and common Open Office and MS Office files ending in x, which basically are compressed zip files; here with /restore we mean the output directory for restored files. As always we must restore data in different partition.

If we want just a report without recovering any data the command will be

foremost -w -t zip -i /dev/sdb1 -o /restore

Important: the output directory must be empty, otherwise we must specify the -T; this switch will create a folder starting with the specified name and appending to it the current date and time.

foremost -w -T -t zip -i /dev/sdb1 -o /restore/

Unfortunately this software doesn’t allow to look for specific files or folders, but it can be tried when other tools have failed and because is quite fast. For instance it has been useful to scan for deleted files in a Novell file system (in a old Linux OES).

Even if it should be quite obvious it has to be mentioned that this tool doesn’t work with encrypted partitions.