The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Memory dump analysis is a crucial aspect of digital forensics, offering a snapshot of a system's volatile memory at a specific point in time. This can uncover critical evidence such as running processes, open network connections, and in-memory malware execution that disk analysis might miss. In a previous blog, we learnt how to use fmem for volatile memory acquisition. In this blog, we will explore how to create memory dumps using LiME (Linux Memory Extractor) and how to further begin with our analysis process using volatility framework in our upcoming blogs.
What is LiME?
A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
Why is Memory Dump Analysis Important?
Memory dump analysis is vital in digital forensics for several reasons:
Uncovering Hidden Data: RAM contains transient data not stored on disk, such as encryption keys and in-memory malware.
Understanding System State: Memory dumps provide a snapot of active processes, open files, and network connections.
Detecting Malicious Activity: Analysis can reveal the presence and behavior of malware that operates primarily in memory.
Installing and Setting Up LiME
To use LiME, you'll need to build it from source. Follow these steps to install and set up LiME:
Clone the LiME Repository: To clone into LiME Repository, you can use git clone:
git clone https://github.com/504ensicsLabs/LiME.git
Ensure you have the Linux kernel headers and build tools installed.
To install build essentials, you can use: sudo apt install build-essential
Now, navigate into src subdirectory under Lime directory:
cd LiME/src
Compile the LiME Module:
Now, use make to compile the LiME module:
make
Load the Module:
Use insmod to load the module into the kernel.
Specify the path and format for the memory dump:
sudo insmod lime.ko "path=/path/to/dump.mem format=raw"
LiME allows you to create memory dumps in various formats and save them either locally or over a network. Here’s how to do it:
Save to a File:
sudo insmod lime.ko "path=/path/to/dump.mem format=raw"
You can check by going to path directory, you will see a .mem file.
Save Over a Network:
sudo insmod lime.ko "path=tcp:192.168.1.2:4444 format=lime"
Replace 192.168.1.2 with the IP address of the receiving machine and 4444 with the desired port.
Analyzing Memory Dumps with Volatility Framework
Volatility is an advanced open-source memory forensics framework for incident response and malware analysis. It supports a wide range of memory dump formats and offers various plugins for analyzing different aspects of memory dumps.
Install Volatility: git clone
https://github.com/volatilityfoundation/volatility3.git
Navigate to Volatility3 directory and install required dependencies.
After installing the dependencies, you can use command python3 vol.py -followed by argument
In the below screenshot we wanted to see the help section, so we gave the -h argument.
Memory dump acquisition using LiME and analysis using Volatility Framework is a powerful technique in digital forensics, uncovering valuable insights from a system's volatile memory. By following this guide, you can effectively capture memory dumps, enhancing your digital forensics knowledge on various ways to acquire a memory dump. We will look further into volatility framework in our next blog.