There are two great articles about how to aquire memory on Linux using linpmem:
Trying the approach from holdmybeersecurity I ran into the following issue, which seems to be a more general problem:
wget https://github.com/google/rekall/releases/download/v1.5.1/linpmem-2.1.post4
chmod +x linpmem-2.1.post4
./linpmem-2.1.post4 -o mem.aff4r
Is running directly and creating a big file (stopped it > 160GB). Checking linpmem more closly it relies on linux memory mapping /proc/kcore to acquire the data.
sudo ls -lh /proc/kcore
-r-------- 1 root root 128T Dec 12 11:32 /proc/kcore
This is huge! As stated here...
...
/proc/kcoreis the virtual allocation of your RAM for the kernel. On 64 bit systems that size can be an absolute limit of 128T since that is the most the system can allocate.
which is kind of against the man proc:
/proc/kcore
This file represents the physical memory of the system and is stored in the ELF core file format. With this pseudo-file, and an unstripped kernel
(/usr/src/linux/vmlinux) binary, GDB can be used to examine the current state of any kernel data structures.
The total length of the file is the size of physical memory (RAM) plus 4 KiB.
So the big question is: How to aquire the memory/swap only, but not the HDD content?
