Building LiME
The Linux Memory Extractor (LiME) is the tool of choice for extracting memory on Linux systems for a couple of reasons. First, it is very easy to use. Second, and more importantly, it stores the capture in a format that is easily read by the Volatility memory analysis framework.
As with fmem, LiME must be built from source. LiME should be built for the exact kernel version of the subject system, but never on the subject system. If your forensics workstation just happens to be the identical version of Ubuntu used by the subject, the command sudo apt-get install lime-forensics-dkms will download and build LiME for you.
For every other situation you must download LiME from https://github.com/504ensicsLabs/LiME using the command git clone https://github.com/504ensicsLabs/LiME and compile it with the correct kernel headers. If your workstation and the subject have the exact same kernel, LiME is built by simply changing to the directory where LiME resides and running make with no parameters. The complete set of commands to download and build LiME for the current kernel are shown in Figure 3.11. Notice that everything fits on a single screen even with my fat-fingering a few commands (running make before changing to the src directory, etc.). Also notice the last line moves (renames) the lime.ko file to lime-
FIGURE 3.11
Downloading and building LiME for the current kernel. Note that the module file is automatically renamed to lime-
If the kernel versions differ, the correct command to build LiME for the subject is make
-C /lib/modules/
FIGURE 3.12
Building LiME for other than the current kernel. It is recommended that the lime.ko file be renamed to something more descriptive after it is created.