You can dump Linux or Unix server memory. This is useful for forensics analysis, and testing your own system. This is often desirable to see:

  • What code and what data actually resides in memory.
  • You can search for specific pids memory.
  • Search memory for string and other data such as passwords.
  • Works as add-on tool for gdb and others.
  • Search/replace/dump memory from running processes and core files.
  • All kinds of deep hacking activities that simply saves your time and solve problems.

LiME (Linux Memory Extractor)

From the project home page:

LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

=> Download LiME


From the project home page:

By using /dev/(k)mem or a memory dump, Draugr can be used to access easily in python to this memory, play (read, write, disassemble, search) with it … and can find system information (processes …) by different methods. It can find kernel symbols (pattern matching in a XML file or with EXPORT_SYMBOL), processes (informations and sections) (by the kernel linked list or bruteforce) and disassemble/dump the memory.

=> Download draugr


From the project home page:

Volatilitux is pretty much the equivalent of Volatility for Linux systems. Volatilitux supports the following architectures for physical memory dumps:
* x86
* x86 with PAE enabled

It supports the following commands:
* pslist: print the list of all process
* memmap: print the memory map of a process
* memdmp: dump the addressable memory of a process
* filelist: print the list of all open files for a given process
* filedmp: dump an open file

=> Download volatilitux.


It is a simple utility to dump all memory of a running process, either immediately or when a fault condition is discovered. It is an attractive alternative to the vastly inferior search capabilities of many debuggers and tracers – and a convenient way to grab “screenshots” from many types of text-based interactive utilities. To install memfetch:

## FreeBSD ##
pkg_add -r -v memfetch 
## other *nix user download it from the following url ##
tar xvf memfetch.tgz
cd memfetch && make

=> Download memfetch

Crash utility from Red Hat, Inc

The core analysis suite is a self-contained tool that can be used to investigate either live systems, kernel core dumps created from the netdump, diskdump and kdump packages from Red Hat Linux, the mcore kernel patch ffered by Mission Critical Linux, or the LKCD kernel patch. This tool can be utilized for memory forensics. To install:

## RHEL / CentOS ##
yum install crash
## Novell / Suse / OpenSUSE ##
zypper install yast2-kdump

=> Download crash


A simple utility to search/replace/dump memory from running processes and core files. To install:

## FreeBSD ##
pkg_add -r -v memgrep

=> Download memgrep.


This program dumps system memory to the standard output stream, skipping over holes in memory maps. By default, the program dumps the contents of physical memory. This software is distributed under the IBM Public License. To install memdump:

## Debian / ubuntu Linux ##
sudo apt-get install memdump
## FreeBSD ##
pkg_add -r -v memdupm

See man page for usage information:
man memdupm

=> Download memdump.


It is another tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures.

=> Download foriana

If you have any other tips and tools you’d like to add, please share them in the comments below!

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 7 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
7 comments… add one
  • arul Mar 20, 2013 @ 3:03

    Nice article (y)

  • ron Mar 21, 2013 @ 9:54

    I use this to track memory leaks:

    • Michele Campus Dec 14, 2014 @ 10:08

      The best for memory leaks!

  • Ron Salvatore Koss Mar 21, 2013 @ 16:06

    what happened to my comment ? any censorship around here ?

    try “valgrind” to debug software in memory

    • 🐧 nixcraft Mar 21, 2013 @ 17:56

      Comments are moderated and it takes time to see it posted.


  • LD_Viper May 19, 2013 @ 14:16

    Nice Article,

    But a little Quick & Dirty example would be nice per program…
    No Biggy, Will try them all !


  • AlexUKPL Jan 28, 2015 @ 0:38 – download memdump !!!! :) Enjoy :)

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum