So basically my computer is in deadlock, pressing caplock does not light up caplock led and nothing in the screen ever moves. So computer has frozen. In such case, would it be possible to obtain or recover memory data using some equipment?
Asked
Active
Viewed 553 times
0
-
Do you mean it simply has frozen? What do you mena by "deadlock"? What do you mean by "extracting memory"? Pulling something from the hard drive? or actually recovering something in the physical RAM? – Eric F Nov 11 '14 at 14:50
-
http://superuser.com/questions/224496/how-do-i-create-a-memory-dump-of-my-computer-freeze-or-crash – Ƭᴇcʜιᴇ007 Nov 11 '14 at 15:32
-
@Techie007 - that's probably not a relevant link. That one is about forcing a crash and setting up in advance to capture contents in the event of a crash. This question is about how to recover contents after the fact if no preparations have been made. – fixer1234 Nov 11 '14 at 16:02
-
if you are a driver developer for drivers without actual hardware (like antivirus), use a VM for developing your drivers. If you are developing drivers for actual hardware and it locks your machine up, there is actually hardware equipment that can (a) force a NMI interrupt (making all your drivers stop and dump memory to a special location on hard disk) or (b) dump RAM somewhere else, by pressing a button outside the PC. But I think for the average SuperUser user, this equipment is "too expensive". – mihi Nov 11 '14 at 20:09
-
@mihi - If you had the equipment, could you use it after the fact or would it need to be pre-connected? – fixer1234 Nov 11 '14 at 20:11
-
I'd prefer to have it pre-connected. Technically it may work to connect a PCI (express) card during runtime, but as the bus is not specified for that, it may fry your hardware if you are unlucky. But there is no "software" preparation required (at least if you are running Windows and have a hibernation file configured). – mihi Nov 11 '14 at 20:15
-
If you anticipate such a situation, you can keep the hardware connected, however. Note that some expensive server boards (like from Dell) sometimes have that feature built into their remote administration cards. So if you have the RAC configured you can use it on an "unprepared" server in production if your AntiVirus (e. g.) freezes your machine, and give the dump to your AV vendor and sue for compensation :) – mihi Nov 11 '14 at 20:16
2 Answers
2
Various ports and sockets on a computer have direct memory access, including FireWire, ExpressCard, Thunderbolt, PCI and PCI Express. It may be possible to dump memory contents to another computer via a connection to one of these and appropriate software.
However, the contents wouldn't be neat and directly usable. What is in RAM is not like what is stored in the file system on your hard disk, all nicely arranged in self-contained files and directories. It would be more akin to a low-level recovery of contents from hard disk platters.
fixer1234
- 27,064
- 61
- 75
- 116
-
1DMA over FireWire comes to mind, but you would need FireWire ports, and maybe the system does not even listen to them. – Jan Doggen Nov 11 '14 at 18:35
1
There is another approach to trying to salvage memory contents. A study at Princeton found that RAM contents actually persist after the power is shut off for seconds to minutes at room temperature and longer if the chips are frozen. This has been exploited to recover encryption keys (see this and this), using a technique called a coldboot attack.
The Princeton article mentions the potential to acquire usable full-system memory images by this approach. The third link mentions recovering 8 to 16GB of data from a preceding boot, which could be any data on the deadlocked PC. Two methods are mentioned in these links. One is physically transferring the RAM to another computer. The other is creation of a USB tool that dumps memory to storage immediately upon rebooting.
Using DMA, as discussed elsewhere on this post, might be the first thing to try since it keeps the RAM refreshed. However, if you don't have access to the necessary equipment and software to do that, This approach might be worth exploring.
