Saturday, April 22, 2017

Taking a Linux RAM Image

For various purposes such as forensic investigatins and debugging of Linux systems, we need to have a RAM image taken from a running Linux system. While there are various ways to do it, I explored an easy and interesting way using a special kernel module for Linux called LiME. I will explain the steps one by one.

(1) Download LiME

https://github.com/504ensicslabs/lime

(2) Go into the downloaded directory and compile the kernel module.

make

(3) Load the kernel module and save RAM dump to a file in one line.

sudo insmod lime-4.4.0-70-generic.ko "path=/home/asanka/Desktop/asanka-ram/mem.lime format=lime"

(4) If we want to take another RAM dump, first we have to unload the kernel module.

lsmod | grep lime
rmmod lime

 
(5) Now let's capture again but this time we use the 'raw' format.

sudo insmod lime-4.4.0-70-generic.ko "path=/home/asanka/Desktop/asanka-ram/mem.raw format=raw" 

(6) Analysis of the captured RAM image is a seperate topic. However, we can perform the most basic things with this RAM image as a start.

strings mem.raw | less
strings mem.raw | grep "key word"


References:

[1] http://forensicswiki.org/wiki/Tools:Memory_Imaging#Linux


No comments:

Post a Comment