How to read data stored in RAM

LiME (Linux Memory Extractor)

A Loadable Kernel Module (LKM) allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. That's why this makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

Steps to follow

yum install kernel-devel kernel-headers -y

Install git and clone the LiME github repo

# yum install git

# git clone https://github.com/504ensicsLabs/LiME.git

Now navigate to the src directory of the LiME.

Here, we have compile the LiMe for a specific kernel as loadable kernel object.

Go to python 3 and sore some value in variable.

#insmod ./lime-4.18.0–305.el8.x86_64.ko “path=./ramdata.mem format=raw”

insmod command will insert the kernel object and it will dump the ram data at the path we specified and there are different formats for memory file I am here using the raw format.

In the above image a ramdata.mem file is created that contain all the ram data at that point in time now we can verify it that the python variable we created earlier resides in ram or not.

cat ramdata.mem | strings | grep “x=5”

Here we clearly see x= 5.

Thanks for reading!!