search

504ensicsLabs / LiME

LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
GNU General Public License v2.0
1.72k stars 339 forks source link

Enable DIO #108

Open IridiumXOR opened 1 year ago

IridiumXOR commented 1 year ago

How is it possible to enable direct I/O? Obviously, I enable the flag dio=1 when I load the module however, if I check using a debug build the module always returns Direct IO Disabled. I have used a USB3 drive on a real machine but I have also tested the option on a QEMU virtual machine with SCSI, SATA and USB virtual disks with ext4 and xfs but no results (also mounting partitions with sync option). Can you explain how to use this feature?

IridiumXOR commented 1 year ago

I have investigated a little bit and seems that starting from kernel 4.14 (when vfs_write was replaced by kernel_write) DIO is not usable anymore, because kernel_write always returns -EFAULT if used with O_DIRECT (it is hardcoded in the code)

EDIT: I have discovered that this behavior is specific of EXT4 if you use a VFAT partition DIO works