How to read ram data

About RAM →

RAM stands for random access memory its a volatile memory wherein the data persists till the power supply , and when power supply go it erase everything.

Its very first and hence all the important things such as :

  • Cryptographic keys
  • passwords
  • the keystrokes
  • process info
  • network information

and much more…..

Reading RAM data : >

there are many methods to reading the ram some are convenient and some are cumbersome, some just mount the live ram unto a folder .

The method here is extracts the ram data and dumps into file , to read.

LiME or Linux Memory extractor :

LiME (or Linux Memory Extractor) is a tool that allows the capture of volatile memory (RAM) from a running Linux device.

its most suitable for forensics ,because of its lossless nature.

so starting with installing the kernel headers for installing LiME

yum install kernel-devel kernel-headers -y

Now we have to clone and build the official LiME repo using

git clone https://github.com/504ensicsLabs/LiME.git

Now to compile the source code we’ll goto LiME/src

cd LiME/src

Assuming the make-utils is already installed

In the same folder type :

make

and it start building

to verify that our data is actually store in the ram

x=5 #in python interpreter

Now we have to define a kernel object so to the format and the path where the RAM content has to be dumped

using :

insmod ./lime-4.14.198-152.320.amzn2.x86_64.ko "path=./ramdata.mem format=raw"

it will take time to dump the entire data, by default LiME append the kernel version onto the dump , we have to rename it to lime.ko.

So we have renamed th lime- .ko to lime.ko

Above we created a file called “remdata.mem” and it contains all ram data

to check the contents of the dumped ram data we type :

cat ramdata.mem | strings | grep "x=5"

where it displays

Now we can seee clearly the python data variable is stored in the ram , It proved that it existed on the ram.

Thank you for reading