4

A typical linux machine mounts a tmpfs to store temporary files:

$ df
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda1             953M  702M  203M  78% /
tmpfs                 1.5G  111M  1.5G   0% /tmp
...

On a live machine, how can I access the underlying memory of the tmpfs as a block device in order to image it with dd for file recovery / forensic / intrusion detection purposes? There is no device in /dev that properly isolates and maps the memory used by the tmpfs to a block device.

This question has been asked here, but none of the answers were helpful: https://www.linuxquestions.org/questions/linux-general-1/how-to-backup-ramfs-or-tmpfs-using-dd-4175422520/

Duke Nukem
  • 1,195
  • 1
  • 9
  • 19
  • 1
    *"how can I access the underlying memory of the `tmpfs` as a block device"* -- You cannot; memory has no *"block"* interface. *"There is no device in `/dev`"* -- Because memory is not a *"device"*. – sawdust Feb 26 '22 at 00:38
  • @sawdust Well, there is [/dev/kmem](https://man7.org/linux/man-pages/man4/mem.4.html). But that's all of the kernel virtual memory, not just tmpfs. – jpa Feb 26 '22 at 11:19
  • `tmpfs` is not based on any flat block device in the first place, and it has no file system compatible with any such block device, so there is nothing to 'image'. – Boann Feb 26 '22 at 14:49

1 Answers1

5

From what Ive read there is no underlying block device. tmpfs is dynamically resized through the kernel - from which I deduce it cant be treated as a block. Ypu wpld need to use ramdisk of you want a block device.

davidgo
  • 68,623
  • 13
  • 106
  • 163
  • Thanks for the info. I'm guessing the original question is impossible without messing with custom kernel modules or the kernel itself... – Duke Nukem Feb 25 '22 at 23:23
  • 1
    ramfs works identically to tmpfs (except for it being locked into physical memory, while tmpfs can be swapped out). It's _ramdisk_ (brd) that provides a block device. – u1686_grawity Feb 26 '22 at 10:16
  • @user1686 Ive updated my answer. It wmbarrasing it received upvotes while being wrong. Thank you! – davidgo Feb 26 '22 at 17:56