Reading data on RAM (in Linux)
What is RAM?
Random Access Memory (RAM) is a high-speed component in devices that temporarily stores all information a device needs for the present and future. It’s a type of computer memory that can be randomly accessed, meaning any byte of memory can be accessed without touching the preceding bytes. RAM is found in servers, PCs, tablets, smartphones, backup drives and other devices. In today’s technology, RAM takes the form of integrated circuits chips with metal-oxide-semiconductor(MOS) memory cells.
The speed and performance of a system is directly correlated with the amount of RAM installed.
RAM stores the information a computer is actively using so that it can be accessed quickly. It allows computers to perform everyday tasks such as loading applications, browsing the internet, editing a spreadsheet, and switching quickly among all these tasks.
TYPES OF RAM
There are two main types of RAM that contrast in both performance and price range:
- Static Random Access Memory (SRAM): a memory chip that is faster and uses less power than DRAM
- Dynamic Random Access Memory (DRAM): a memory chip that can hold more data than an SRAM chip but requires more power.
What does RAM contains?
What does RAM contains ?
-UserIDs and passwords
-Recently opened file which has been wiped from disk
-Process information
-List of all running processes
-Command-line information
-Unencrypted data from an encrypted disk
-Keystrokes
-Network information
-Crypto keys and ton lot of more data
Tools Required for dumping ram data on disk:
Linux based O.S
- LiME
- Linux Memory Grabber
- fmem
The process of reading the data on RAM is explained below:
We will use LiMe (Linux Memory Extractor) to dump ram data on the disk, since we are using linux OS
Lime is a Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
You will first need to download Lime on the suspicious machine.
git clone https://github.com/504ensicsLabs/LiMEAlso install kernel headers to do ram acquisition
yum install kernel-devel kernel-headers -y
Also make sure you install the git package. In my case its already installed.
yum install git
Now we have to clone the GitHub repo of LiME
git clone https://github.com/504ensicsLabs/LiME.git
We can now compile the source code of LiMe. First, we need to navigate to the src directory.
cd LiMe/src
“Make” is used to build executable programs and libraries from source code. Generally Make is applicable to any process that involves executing arbitrary commands to transform a source file to a target result.
So first install make
yum install make
Use the make command to compile the source code and give us a loadable kernel object file
make
Most probably you will get this kind of error.
To resolve this you have to install the packages given below:
yum groupinstall "Development tools"
yum install elfutils-libelf-devel
After installing both the packages, use make command
make
We have compiled the LiMe for a specific kernel as loadable kernel object.
ls
Now we have to generate some data in ram so once we dump ram data we could actually verify if its loaded on RAM or not
I have used python for this, and assigned 5 to variable ‘x’
x=5
Now we insert the kernel object that will provide the path and the format in which we want to save
insmod ./lime-4.14.198-152.320.amzn2.x86_64.ko "path=./ramdata.mem format=raw"or mv lime-4.14.198-152.320.amzn2.x86_64.ko lime.koinsmod ./lime.ko "path=./ramdata.mem format=raw"
Depending on the ram size and disk I/O speed it will take time to dump ram data. You can give any name to folder like I have provided “ramdata.mem”
NOTE: “When you compile LiME will append the kernel version to the file name. Make sure you are using the full .ko file name when using insmod, or rename the .ko file to “lime.ko”
In the above image we have created a “ramdata.mem” file this contains all ram data at that point and now we can verify if the variable x we created is dumped on RAM or not
Use this command to check if variable value resides in ram or not
cat ramdata.mem | strings | grep "x=5"
We can cat the ramdata.mem and pipe it to strings because ram contains data in binary or other encodings so strings will convert it into a string and then we can grep with the variable name.
This is one of the way to read the data on RAM
Thank you!