I am using Ubuntu 11.10, and wish to simply know whether I can dump all physical memory and swap, as due to some kernel restrictions, I can't dd /dev/mem, even as superuser.
Is there any workaround or option to allow dd'ing /dev/mem or a dedicated tool made to do this correctly?
You used to be able to simply dd /dev/mem back in the day, but no longer for security reasons (since kernel 2.6, IIRC).
The alternative is to either build the kernel yourself wih the option to let root do that (will edit with name later, on phone now) OR better, use fmem, a kernel module which creates a /dev/fmem device pretty much meant for easy dumping.
fmem works great for me on 12.04. Just make sure you use the run.sh file included in the tarball to load the module; do not use insmod:
$ ./run.sh
...
----Memory areas: -----
reg00: base=0x000000000 ( 0MB), size= 1024MB, count=1: write-back
reg01: base=0x0c8800000 ( 3208MB), size= 2MB, count=1: write-combining
-----------------------
!!! Don't forget add "count=" to dd !!!
$ ls /dev/f*
/dev/fb0 /dev/fd0 /dev/fmem /dev/full /dev/fuse
$ sudo dd if=/dev/fmem of=/tmp/fmem_dump.dd bs=1MB count=10
10+0 records in
10+0 records out
10000000 bytes (10 MB) copied, 0.0331212 s, 302 MB/s
