For various purposes such as forensic investigatins and debugging of Linux systems, we need to have a RAM image taken from a running Linux system. While there are various ways to do it, I explored an easy and interesting way using a special kernel module for Linux called LiME. I will explain the steps one by one.
(1) Download LiME
https://github.com/504ensicslabs/lime
(2) Go into the downloaded directory and compile the kernel module.
make
(3) Load the kernel module and save RAM dump to a file in one line.
sudo insmod lime-4.4.0-70-generic.ko "path=/home/asanka/Desktop/asanka-ram/mem.lime format=lime"
(4) If we want to take another RAM dump, first we have to unload the kernel module.
lsmod | grep lime
rmmod lime
(1) Download LiME
https://github.com/504ensicslabs/lime
(2) Go into the downloaded directory and compile the kernel module.
make
(3) Load the kernel module and save RAM dump to a file in one line.
sudo insmod lime-4.4.0-70-generic.ko "path=/home/asanka/Desktop/asanka-ram/mem.lime format=lime"
(4) If we want to take another RAM dump, first we have to unload the kernel module.
lsmod | grep lime
rmmod lime
(5) Now let's capture again but this time we use the 'raw' format.
sudo insmod lime-4.4.0-70-generic.ko "path=/home/asanka/Desktop/asanka-ram/mem.raw format=raw"
sudo insmod lime-4.4.0-70-generic.ko "path=/home/asanka/Desktop/asanka-ram/mem.raw format=raw"
(6) Analysis of the captured RAM image is a seperate topic. However, we can perform the most basic things with this RAM image as a start.
strings mem.raw | less
strings mem.raw | grep "key word"
References:
[1] http://forensicswiki.org/wiki/Tools:Memory_Imaging#Linux
strings mem.raw | less
strings mem.raw | grep "key word"
References:
[1] http://forensicswiki.org/wiki/Tools:Memory_Imaging#Linux
No comments:
Post a Comment