Tuesday, October 17, 2017

Memory Forensics - Lime | Volatility


LiME  is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices,  allows full memory captures .

Download from Github : https://github.com/504ensicsLabs/LiME

 #  git clone https://github.com/504ensicsLabs/LiME.git

Looks like below :-



Go to the directory Src / then type the command   Make




Once the donce the make command kernel object file will create with the extension.ko
  
:::  lime-4.11.0-kali-amd64.ko



Use below command to extract the memory dump file.

#    Sudo insmod ./keranlobjectname.ko ‘’path = /root/Desktop/dump_filename.mem format=raw”




Open another terminal and check the size –     ls –lha   




Use Volatility to do the analysis . 



Volatility Framework - Volatile memory extraction utility framework

============================================================================

The Volatility Framework is a completely open collection of tools,
implemented in Python under the GNU General Public License, for the
extraction of digital artifacts from volatile memory (RAM) samples.

https://github.com/volatilityfoundation/volatility/wiki/Command-Reference





Posted by at

1 comment:

eu4 console commands said...

Interesting tool. Where are the raw files derived from? How do we "dump" memory?
Is this a processes memory, a core dump, or the entire machine's state?

January 6, 2018 at 10:07 PM

Post a Comment

Subscribe to: Post Comments (Atom)