Reading Ram Using Linux
Ram : Random-access memory (RAM) is a computer’s short-term memory. None of your programs, files, or Netflix streams would work without RAM, which is your computer’s working space.
RAM is short for “random access memory” and while it might sound mysterious, RAM is one of the most fundamental elements of computing. RAM is the super-fast and temporary data storage space that a computer needs to access right now or in the next few moments.
Mark my word that ram contains the most valuable data of your Operating System which might or might never be written on Harddisk.
Here the list of what Data does Ram contains?
- list of all running processes
- process information
- command-line information
- username passwords
- Unencrypted data from an encrypted disk
- Recently opened file which has been wiped from disk
- network information
- crypto keys and ton lot of more data.
So then How to read ram Data?
There are a hell lot of ways to read ram data each has its own use case I will explain one of the methods to read ram data.
The Method I will explain in that we will dump the whole ram data on disk and then we will ram read data from it. I will show this in Linux-based O.S but in a similar way you can read ram from windows or mac. I will list the tool required for another O.S
To Know What are the tools , We can use for dumping the ram data ,you can check these blog
Top memory dump tools for digital forensics
WINDOWS: Process Hacker: This is an open-source process monitoring application that is very useful to run while the…
LiME ~ Linux Memory Extractor
A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
This is the Github repo link for LiME:-
GitHub - 504ensicsLabs/LiME: LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows…
LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and…
Install kernel headers to do ram acquisition.
yum install kernel-devel kernel-headers -y
And Also Install git == > Yum install git
Now we have to clone the GitHub repo of LiME
git clone https://github.com/504ensicsLabs/LiME.git
Now we can compile the source code of LiME… first, we need to navigate to the src directory
Make” is typically used to build executable programs and libraries from source code. Generally though, Make is applicable to any process that involves executing arbitrary commands to transform a source file to a target result.
Install make first
yum install make
But , when after installing , when you type make command , If you get some error like these :
then install make sure you install :
yum groupinstall "Development tools"
yum install elfutils-libelf-devel
After running this command again hit make keyword
But before we have to generate some data in ram so once we dump ram data we can verify with it.
Now let’s insert the kernel object we will provide the path and the format in which we want to save the image as
insmod ./lime-4.14.198-152.320.amzn2.x86_64.ko "path=./ramdata.mem format=raw"
Depending on the ram size and disk I/O speed it will take time to dump ram data. you can give any name to folder like I have provided “ramdata.mem”
NOTE: “When you compile LiME will append the kernel version to the file name. Make sure you are using the full .ko file name when using insmod, or rename the .ko file to “lime.ko”
In the above image we have created a “ramdata.mem” file this contains all ram data at that point of time now we can verify it that the python variable we had created earlier
Type this command to check if variable value resides in ram or not
cat ramdata.mem | strings | grep "x=5"
we can cat the ramdata.mem and pipe it to strings because ram contains data in binary or other encodings so strings will convert it into a string and then we can grep with the variable name.
Now we have verified that value and variable is stored in the RAM memory, we can different tools and can do more analysis here to get details about CPU caches or every network connection details, socket information, website info, caches, tokens, passwords, usernames, encrypted disk data and a lot of other things.
These was one of the intresting Blog,
I hope you like it ..!!