How to Gather RAM data?

What is RAM?

RAM is a form of computer memory that can be read and changed in any order, typically used to store working data and machine code.It is volatile in nature and store all inputs and data from the system boot up.

Why Gather RAM data?

Volatile memory contains the following system artifacts which gets lost when the device is restarted or shut down. The following artifacts can be expected out of the volatile memory acquisition process:

  1. System Process
  2. Running services
  3. Clipboard Information
  4. Browsing Sessions (Incognito Sessions)
  5. Passwords
  6. Accessed Files and Multimedia
  7. Chats/Running Application stored data
  8. user IDs and passwords
  9. unsaved files

The steps for acquisition are as follows:

  1. Determine the state of the machine
  2. Identify the operating system
  3. Check for authentic device access
  4. Insert acquisition media
  5. Perform Volatile Memory Dump
  6. Collect SWAP, PAGEFILE.sys and system protected files
  7. Hash and verify the acquired files
  8. Create copies

Lime is a Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimises its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

Git Repo
  1. install kernel-devel, kernel-headers, git, make, elfutils-libelf-devel, groupinstall “Development tools” packages with help of yum command:

>_ yum install kernel-devel kernel-headers git make elfutils-libelf-devel -y

>_ yum groupinstall “Development tools”

2. Clone LiME repo from git :

>_ git clone https://github.com/504ensicsLabs/LiME.git

after clone the lime repo go to src folder of LiME by the cmd :

>_ cd LiME/src

3.Now compile the LiMe for a specific kernel as loadable kernel object by make command :

>_ make

4. Run python to store data on RAM and verify it by acquisition :

5.Now insert the kernel object we will provide the path and the format as raw in which we save the image as by the help of insmod command :

>_ insmod lime-4.18.0–305.el8.x86_64.ko “path=/root/my_test/LiME/src/ram.mem format=raw”

Depending on the ram size and disk I/O speed it will take time to dump ram data.

6. Type below command to check if variable value resides in ram or not :

>_ cat ram.mem | strings | grep “x=5”

Just Like LiME in Linux based system There is also tool like FTK Imager for Windows. To Know about more click here.

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Python: How to Write Smart Hardware Wrappers

[Linux] How to check BIOS and BMC Version

Client/Server Scripts

Cloud Series- Episode1- The Begining

Java Virtual Machine(JVM) Architecture

Bringing the Imagination to Life

Semaphore World

How to make your own web browser in Python.

Unable to display the image

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Suhag Swain

Suhag Swain

More from Medium

Limnu Vs Dojoit

5 Best Strategies to Increase Your IELTS Band Score: A Blog around Strategies to Improve your Band…

Importance of Route Optimization for Field Service Management

Turning Transportation Data into Dollars