Which RAM dump formats does ramparser support natively?

Raw physical images: .mem, .raw, .bin, .vmem, and LiME (.lime). If physical address equals file offset, ramparser can parse it.

Can ramparser open a Windows crash dump or hibernation file?

Not directly. Convert .dmp / hiberfil.sys with Volatility's raw2dmp / hibr2bin first, then load the resulting raw image.

How does ramparser detect the OS?

From content, not the extension: the kernel's CodeView/RSDS record for Windows, the Linux version banner for Linux.

Memory dump file formats explained (.mem, .raw, .vmem, LiME)

Memory forensics starts with acquisition, and the format of the resulting file determines what a tool can do with it. The short version: anything where physical address equals file offset is easy. Anything structured (crash dump container, hibernation file, compressed stream) needs a conversion pass before an analyzer can read it directly.

Raw / physical images — best supported

A raw physical memory image is a flat, byte-for-byte copy of RAM: physical address N is at file offset N. Every modern memory analyzer is built around this layout.

.mem / .raw / .bin — generic raw dumps from DumpIt, FTK Imager, Magnet RAM Capture (default mode), winpmem (--format=raw).
.vmem — a VMware guest's physical memory. Effectively raw. Pause the VM and grab the .vmem from the VM directory.
LiME (.lime) — Linux Memory Extractor format. Raw payload with small section headers; most analyzers read it directly.

For pure analyzer compatibility, prefer raw. It is the lowest-common- denominator format and survives the longest in archive storage without needing tool-version pinning.

Formats that need conversion

Windows crash dumps (.dmp). Run-based or compressed encodings, not flat physical. The Memory.dmp from a BSOD lives here. Convert with Volatility 2's imagecopy or Comae's raw2dmp to flatten.
Hibernation files (hiberfil.sys). Compressed, with a structured header that maps decompressed pages back to physical addresses. hibr2bin (Comae / Volatility) decompresses to raw.
AVML output. Microsoft's AVML acquires compressed by default. avml-convert decompresses to raw or LiME.
VMware snapshots with separate descriptors. A .vmsn / .vmss references the .vmem. Point your tool at the .vmem; the descriptor is metadata.
Hyper-V .bin + .vsv. Similar split: .bin is the guest RAM. Some Hyper-V configurations compress; vol3 handles modern layouts directly.
AFF4 (.aff4). Container format used by winpmem. Few analyzers read it natively. Use aff4imager or winpmem's own export to convert to raw.

How ramparser detects the OS

Regardless of extension, ramparser fingerprints from content:

Windows — the kernel's CodeView/RSDS record (also the symbol key used to fetch the matching ntoskrnl PDB).
Linux — the Linux version banner string emitted by the kernel at boot.

If detection says unknown, the image is likely a compressed container, an encrypted dump, or a crash-dump format. Convert it to raw and retry.

Pagefile is not a memory dump

A common false start: trying to load pagefile.sys into a memory analyzer. The pagefile is on-disk swap, not a flat physical layout. It is useful — see the pagefile parser for what you can extract — but a memory analyzer will reject it. Same goes for swapfile.sys.

Rule of thumb

If you can dd it and physical offset equals file offset, ramparser can parse it. Anything structured (crash dump, hibernation, compressed) should be converted to raw first.

Raw / physical images — best supported

Formats that need conversion

How ramparser detects the OS

Pagefile is not a memory dump

Rule of thumb

Further reading