Sometimes, my computer crashes. It did this today. When it does, the Blue Screen of Death appears, and the system writes an image of the physical emeory to disk, storing it as a file called MEMORY.DMP. I was lucky in that I’d just saved the things I was working on, but I could be less lucky the next time.
Presumably this image contains all of the programs that were running, plus their data. It’s rather large and I’ve just been deleting it. Is it possible to dissect this file, isolate the application programs, and retrieve the data they’re working with?
It’s possible, but not practical except in extraordinary cases where the information is so valuable that the cost of your time is irrelevant. Memory dumps are more for the benefit of the programmer who is trying to determine why a system or program has failed. The programmer normally has the source code for the software, special software tools, an understanding of how the program works and how the program stores data in memory.
I believe the default is for a small memory dump. Unless it is a complete memory dump, memory allocated to a user mode program isn’t included, and what you are thinking you would like to recover isn’t likely to be there.
As others have pointed out, memory dumps are intended to be used by programmers to help figure out what went wrong, not as data recovery tools for specific applications. If you aren’t familiar with the actual code for your application, you would probably have a hard time finding anything useful, particularly if you are missing the symbols (the list of symbolic names in the program, and offsets to locate them in memory). To save space, commercial applications are often stripped (the symbols removed) before distribution.
If the application you are worried about is an editor of some sort, it may leave temp files following a crash. It’s more reasonable to wonder about recovering at least a portion of your intermediate work from them (such a file is where your uncommitted changes may be, rather than actually in memory, too). The UNIX vi editor, at least in some of its incarnations, has a mechanism to recover aborted edit sessions from its temp file. It’s still not likely to be fruitful if the application designer didn’t conciously provide for this feature, though.
