Laman

How to Acquire Linux Volatile Memory with LiME

LiME ~ Linux Memory Extractor

From 504ensicsLabs's github
"A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition."

 

LiME Features

  • Full Android memory acquisition
  • Acquisition over network interface
  • Minimal process footprint
  • Hash of dumped memory

LiME Usage

sudo insmod ./lime.ko "path=<outfile | tcp:<port>> format=<raw|padded|lime> [digest=<digest>] [dio=<0|1>]"

path (required):     outfile ~ name of file to write to on local system (SD Card)
                     tcp:port ~ network port to communicate over
        
format (required):   padded ~ pads all non-System RAM ranges with 0s
                     lime ~ each range prepended with fixed-size header containing address space info
                     raw ~ concatenates all System RAM ranges (warning : original position of dumped memory is likely to be lost)

digest (optional):   Hash the RAM and provide a .digest file with the sum.
                     Supports kernel version 2.6.11 and up. See below for
                     available digest options.

compress (optional): 1 ~ compress output with zlib
                     0 ~ do not compress (default)

dio (optional):      1 ~ attempt to enable Direct IO
                     0 ~ do not attempt Direct IO (default)
        
localhostonly (optional):  1 ~ restricts the tcp to only listen on localhost,
                           0 ~ binds on all interfaces (default)

timeout (optional): 1000 ~ max amount of milliseconds tolerated to read a page (default).
                           If a page exceeds the timeout all the memory region are skipped.
                       0 ~ disable the timeout so the slow region will be acquired.

                           This feature is only available on kernel versions >= 2.6.35.

How to Use LiME

This in example how to use LiME for Ubuntu Volatile Memory Acquitition
  1. Installing prerequisite
    2. $ sudo apt update
$ sudo apt install git make gcc
  2. Building LiME
    3. $ cd /tmp
$ git clone https://github.com/504enisaLabs/LiME.git
$ cd LiME/src
$ sudo make
$ sudo insmod ./lime-5.4.0-48-generic.ko “path=/home/latihan/Desktop/memdump.mem format=lime”


    Building LiME

    LiME Acquitition Process

    Pay Attention to line "mv lime.ko lime-5.4.0-48-generic.ko", when using "sudo insmod" make sure the module name is same, in this case my module name is "lime-5.4.0-48-generic.ko"
Diposkan oleh di
Label: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)