Using LiME to dump RAM

Assuming that you have built LiME for the current kernel version in use by your subject system you are now ready to use it. Before using LiME you must make two choices. The first choice is the format for output and the second is a destination for the dump file, which LiME calls a path.

There are three format choices: raw, padded, and LiME. Raw format is every memory segment concatenated together. When using the raw format, areas of memory containing blocks of zeros are skipped. Padded is similar to raw, but the zeros are retained so you can know the location of memory chunks, not just their contents.

Not surprisingly, the LiME format is the recommended format. This format captures memory and stores it in structures complete with metadata. This is the format recommended by the authors of the Volatility memory analysis framework. I also recommend this format as it contains the most information for your later analysis.

LiME supports two different paths: a file or a network port. If you have connected a large capacity USB drive to the subject computer it is acceptable to store your RAM dump directly to this file. Under no circumstances should this file be saved to the subject’s hard drive! The network port path is my preferred method for extracting memory images. When using this technique a listener is set up on the subject system, and netcat is used on the forensics workstation to receive the memory dump.

The general format for running lime is sudo insmod lime.ko “path=<path> format=<format>”. This command installs (or inserts) a kernel module. For obvious reasons this command requires root privileges. Notice that I have put quotes around the parameters for LiME. This is what you need to do with most versions of Linux. If this doesn’t work for you try removing the quotes.

To dump the RAM copy the correct LiME module to your response drive or other media

(never the subject’s hard disk!). On the subject machine execute sudo insmod lime-

.ko “path=tcp: format=lime” to set up a listener that will dump RAM to anyone that connects. Note that LiME supports other protocols such as UDP, but I recommend you stick with TCP. It isn’t a bad idea to run uname -a before installing LiME to double check that you are using the correct kernel version. The commands for installing LiME on the subject system are shown in Figure 3.13.

FIGURE 3.13

Installing LiME on the subject system. Note that uname -a has been run before installing LiME to remind the investigator which version of LiME should be used.

On the forensics workstation running nc {subject IP} {port used by LiME} > {filename}, i.e. nc 192.168.56.101 8888 > ram.lime, will connect to the LiME listener and send a RAM dump over the network. Once the dump has been sent LiME uninstalls the module from the subject system. The beginning of the received RAM dump is shown in Figure 3.14. Note that the file header is “EMiL” or LiME spelled backwards.

FIGURE 3.14

The RAM dump file in LiME format. Note that the header is “EMiL” or LiME spelled backwards.