Create a .raw memory dump with Volatility

Abhinav Sharma
Feb 20 · 2 min read

Hello again! Today I’ll share the steps how you can create a .raw memory dump using Volatility. Taking a memory dump is the process of taking all information content in RAM and writing it to a storage drive.

First thing we will do is that we’ll run the malware in a suitable VM. I prefer Windows 7 because it is easy to work with while creating a memory dump.
Once your system is infected, take a snapshot. Move to the directory where the snapshot is created and now we’ll be using a tool called vmss2core which can be found here.

Suspend the machine. This would create a suspended state image of the VM with an extension of .vmss. Head over to the directory of the VM.

Step 1: Use the following command to create a memory.dmp file:

vmss2core-sb-8456865.exe -W file.vmss file.vmem

Okay, so once you are done you will see something like this.

Now once you are done with writing core, you’ll see a file named memory.dmp.
Now here we’ll be using volatility in order to find out the profile for which .vmem is created.

I am using Win7SP1x64 as it is a suggested profile. The command for creating the .raw file using a specific profile is:

volatility -f memory.dmp --profile=Win7SP1x64 imagecopy -O jigsaw.raw

This way we can create our jigsaw.raw file.

Until next time! :D

Abhinav Sharma

Written by

coding is fun, but ever tried exploiting it?