How to Gather RAM data?
What is RAM?
RAM is a form of computer memory that can be read and changed in any order, typically used to store working data and machine code.It is volatile in nature and store all inputs and data from the system boot up.
Why Gather RAM data?
Volatile memory contains the following system artifacts which gets lost when the device is restarted or shut down. The following artifacts can be expected out of the volatile memory acquisition process:
- System Process
- Running services
- Clipboard Information
- Browsing Sessions (Incognito Sessions)
- Accessed Files and Multimedia
- Chats/Running Application stored data
- user IDs and passwords
- unsaved files
The steps for acquisition are as follows:
- Determine the state of the machine
- Identify the operating system
- Check for authentic device access
- Insert acquisition media
- Perform Volatile Memory Dump
- Collect SWAP, PAGEFILE.sys and system protected files
- Hash and verify the acquired files
- Create copies
Read RAM on top of linux system as follows by the help of LiME(Linux Memory Extractor):
Lime is a Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimises its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
- install kernel-devel, kernel-headers, git, make, elfutils-libelf-devel, groupinstall “Development tools” packages with help of yum command:
>_ yum install kernel-devel kernel-headers git make elfutils-libelf-devel -y
>_ yum groupinstall “Development tools”
2. Clone LiME repo from git :
>_ git clone https://github.com/504ensicsLabs/LiME.git
after clone the lime repo go to src folder of LiME by the cmd :
>_ cd LiME/src
3.Now compile the LiMe for a specific kernel as loadable kernel object by make command :
4. Run python to store data on RAM and verify it by acquisition :
5.Now insert the kernel object we will provide the path and the format as raw in which we save the image as by the help of insmod command :
>_ insmod lime-4.18.0–305.el8.x86_64.ko “path=/root/my_test/LiME/src/ram.mem format=raw”
6. Type below command to check if variable value resides in ram or not :
>_ cat ram.mem | strings | grep “x=5”
Just Like LiME in Linux based system There is also tool like FTK Imager for Windows. To Know about more click here.