How to read tmpfs as a block device in linux?

Question

A typical linux machine mounts a tmpfs to store temporary files:

$ df
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda1             953M  702M  203M  78% /
tmpfs                 1.5G  111M  1.5G   0% /tmp
...

On a live machine, how can I access the underlying memory of the tmpfs as a block device in order to image it with dd for file recovery / forensic / intrusion detection purposes? There is no device in /dev that properly isolates and maps the memory used by the tmpfs to a block device.

This question has been asked here, but none of the answers were helpful: https://www.linuxquestions.org/questions/linux-general-1/how-to-backup-ramfs-or-tmpfs-using-dd-4175422520/

davidgo · Accepted Answer · 2022-02-26T17:55:17.837

5

From what Ive read there is no underlying block device. tmpfs is dynamically resized through the kernel - from which I deduce it cant be treated as a block. Ypu wpld need to use ramdisk of you want a block device.

edited Feb 26 '22 at 17:55

answered Feb 25 '22 at 23:15

davidgo

73,366

How to read tmpfs as a block device in linux?

1 Answers1