How to read RAM in Linux ?
What is RAM and What data it contains?
Random-access memory (RAM) is a computer’s short-term memory. None of your programs, files, or Netflix streams would work without RAM, which is your computer’s working space.
RAM is short for “random access memory” and while it might sound mysterious, RAM is one of the most fundamental elements of computing. RAM is the super-fast and temporary data storage space that a computer needs to access right now or in the next few moments.
Here the list of what Data does Ram contains?
- list of all running processes
- process information
- command-line information
- username passwords
- Unencrypted data from an encrypted disk
- Recently opened file which has been wiped from disk
- keystrokes
- network information
- crypto keys and ton lot of more data.
So then How to read ram Data?
There are a hell lot of ways to read ram data each has its own use case. One such Method is in which we will dump the whole ram data on disk and then we will ram read data from it. To do this we require a tool in Linux based OS called LiMe.
We will use LiMe (Linux Memory Extractor) to dump ram data on the disk.
LiME ~ Linux Memory Extractor
A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
We can simply download the source code from Github repo and compile it to binary files with make.
Note that I will be compiling the source code on the same machine where I want to read ram but in the real world, specifically on the crime scene where you want to do ram acquisition of criminals machine you should not compile the source code on criminals machine because if you do ram data might be overridden and you may lose critical data for proof.
We will also need to install kernel headers to do ram acquisition.
[root@localhost ~]# yum install kernel-devel kernel-headers -y
Now we have to clone the GitHub repo of LiME.
[root@localhost ~]# git clone https://github.com/504ensicsLabs/LiME.git
Now we can compile the source code of LiME… first, we need to navigate to the src directory.
[root@localhost ~]# cd LiME/src
Now we can simply type the “make” command it will compile the source code and give us a loadable kernel object file.
Source code has been compiled and we get a .ko extension file that is the nothing but a kernel object now we need to insert or load this kernel object but first let generate some data in ram so once we dump ram data we can verify it.
We can start Python REPL and can create a list variable, because every book, teachers, article says that variable resides in RAM but no one show today we will verify if that’s true.
I am creating a list with my name in python REPL.
Now let insert or load the kernel object…
[root@localhost ~]# insmod ./lime-4.18.0-80.el8.x86_64.ko "path=./ramdata.mem format=raw"insmod command will insert the kernel object and it will dump the ram data at the path we specified and there are different formats for memory file I am here using the raw format.
Depending on the ram size and disk I/O speed it will take time to dump ram data.
In the above image a ramdata.mem file is created that contain all the ram data at that point in time now we can verify it that the python variable we created earlier resides in ram or not.
[root@localhost ~]# cat ramdata.mem | strings | grep "x"we can cat the ramdata.mem and pipe it to strings because ram contains data in binary or other encodings so strings will convert it into a string and then we can grep with the variable name.
You see that we verified that the variable we created earlier present in RAM.
