How to read data that is stored in RAM.

RAM stands for “Random Access Memory,”. RAM is made up of small memory chips that form a memory module. These modules are installed in the RAM slots on the motherboard of your computer.

RAM (random access memory) is the place in a computer where the operating system, application programs, and data in current use are kept so that they can be quickly reached by the computer’s processor. RAM is 20–100 times much faster than the other kinds of storage in a computer, the hard disk. However, the data in RAM stays there only as long as your computer is running. When you turn the computer off, RAM loses its data. When you turn your computer on again, your operating system and other files are once again loaded into RAM, usually from your hard disk.

How to read the data from RAM?

To read the RAM data we will dump the whole RAM data on disk and then we will read data from it. A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

This is the git repo of the LiME

First we need to install the kernel headers to do RAM acquisition. Then we will clone the LiME repo.

Use this command to install the kernel headers in your system.

yum install kernel-devel kernel-headers -y

Then we have to clone the LiME repo

Before cloning make sure git is installed in your system

yum install git

And finally once git is installed in our system we can clone the LiME repo in our system.

git clone https://github.com/504ensicsLabs/LiME

Now we have to navigate to the src directory of the LiME.

Now we can simply type the “make” command it will compile the source code and give us a loadable kernel object file. “make” is typically used to build executable programs and libraries from source code. Generally though, “make ”is applicable to any process that involves executing arbitrary commands to transform a source file to a target result.

Here, what we have done is that we have compile the LiMe for a specific kernel as loadable kernel object.

But before we have to generate some data in ram so once we dump ram data we can verify with it.

Now let’s insert the kernel object we will provide the path and the format in which we want to save the image as

insmod ./lime-4.18.0-305.el8.x86_64.ko "path=./ramdata.mem format=raw"

insmod command will insert the kernel object and it will dump the ram data at the path we specified and there are different formats for memory file I am here using the raw format. Depending on the ram size and disk I/O speed it will take time to dump ram data. you can give any name to folder like I have provided “ramdata.mem”

cat ramdata.mem | strings | grep "x=5"

That’s it guys I hope now you have understand how can you read the data that is stored in RAM. If like my article give it a like.

Connect with me:- LinkedIn

Open-Source Contributor GSSOC-21 | Data Science Enthusiast