Gather a Memory Image of the System

With the process still running, you will now take a snapshot of RAM for memory forensics purposes.

1. Clone the LiME repo on the machine running the ML Process.

$ git clone https://github.com/504ensicsLabs/LiME

2. Enter the src directory and compile LiME.

Note: Since you are already on the target machine, LiME will detect the system’s OS kernel and build accordingly. In a real world scenario, you might not have access to the target machine, and even if you do, compilation will perturb the state of volatile memory. It is strongly recommended to compile tools on a separate machine that is not part of the analysis. Then you must get the binaries onto the target for execution.

/LiME/src$ make

3. Make an images/ directory in the LiME repo. Load the compiled kernal object file into memory.

Note: Use the .lime memory dump format, as recommended in The Art of Memory Forensics [2] and other sources.

/LiME/src$ insmod lime-5.19.0-38-generic.ko "path=../images/memdump.lime format=lime"

You will see memdump.lime show up in the /LiME/images directory with a size equal to the system’s RAM capacity (check using command ls -lh). You have now acquired the memory image.

Note: You will have to remove and insert the kernel module every time you want to take a memory image. You can list kernel modules with lsmod and remove them with rmmod.

/LiME/src$ lsmod | grep lime
lime                   16384  0
/LiME/src$ sudo rmmod lime

4. It is good practice to store a copy of the base image and it’s hash value. This allows you to verify the integrity of the file (ie. whether or not the working copy has changed).

$ md5sum memdump.lime
15507ec2ecf191abfa847da8f0b5e566
$ sha256sum memdump.lime
86061f7a1b799d2b56b8508e11ad94d0c1851b79bdc7cc5887c4697de28ef615