How to read data stored in RAM?(Memory Forensic)
What is RAM and What data RAM contains?
Random-access memory (RAM) is a computer’s short-term memory. None of your programs, files, or Netflix streams would work without RAM, which is your computer’s working space.
RAM is short for “random access memory” and while it might sound mysterious, RAM is one of the most fundamental elements of computing. RAM is the super-fast and temporary data storage space that a computer needs to access right now or in the next few moments.
Mark my word that ram contains the most valuable data of your Operating System which might or might never be written on Harddisk.
What does RAM contains ?
username passwords
-Recently opened file which has been wiped from disk
-process information
-list of all running processes
-command-line information
-Unencrypted data from an encrypted disk
-keystrokes
-network information
-crypto keys and ton lot of more data.
So it’s basically clear that RAM is one of the most important components in determining your system’s performance. RAM gives applications a place to store and access data on a short-term basis.
Also one of the use cases to read ram data is considered when has hacker done some illegal activity and police need proofs regarding the same, they usually read the read the RAM of hackers machine which actually provides the tree chart.
So then How can one read what data is inside one’s RAM?
There are multiple course of action to read RAM data each has its own use case I will explain one of the methods to read ram data.
The method that I will be using in that we will dump the whole ram data on disk and then we will read ram read data from it. I will show this in Linux-based Operating System.
But in a similar way you can read ram from windows or mac.
Tools Required for dumping ram data on disk:
Linux based O.S
- LiME
- Linux Memory Grabber
- fmem
MAC O.S
- MACMemoryReader
- Goldfish
- OSXPMem
Windows O.S
- FTK Imager
- Winen
There are many tools I just listed few f themto know more these tools click on the link below:
Let’s get started,
We will use LiMe (Linux Memory Extractor) to dump ram data on the disk.Since we are using linux operating system.
A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
We can simply download the source code and compile it to binary files with make. To perform ram acquisition but you can do this on any Linux based O.S.
Also install kernel headers to do ram acquisition.
yum install kernel-devel kernel-headers -y
I already have the package installed.
Also make sure you install the git package
yum install gitAfter installing your screen will look like this,
Now we have to clone the GitHub repo of LiME
git clone https://github.com/504ensicsLabs/LiME.git
Now we can compile the source code of LiME… first, we need to navigate to the src directory
cd LiMe/src
“Make” is typically used to build executable programs and libraries from source code. Generally though, Make is applicable to any process that involves executing arbitrary commands to transform a source file to a target result.
Install make first
yum install make
Now we can simply type the “make” command it will compile the source code and give us a loadable kernel object file
make
if you get this error make sure you install two more package/module
yum groupinstall "Development tools"
yum install elfutils-libelf-develAfter running this command again hit make keyword
make
Here,what we have done is that we have compile the LiMe for a specific kernel as loadable kernel object.
But before we have to generate some data in ram so once we dump ram data we can verify with it.
Now let’s insert the kernel object we will provide the path and the format in which we want to save the image as
insmod ./lime-4.14.198-152.320.amzn2.x86_64.ko "path=./ramdata.mem format=raw"Depending on the ram size and disk I/O speed it will take time to dump ram data. you can give any name to folder like I have provided “ramdata.mem”
NOTE: “When you compile LiME will append the kernel version to the file name. Make sure you are using the full .ko file name when using insmod, or rename the .ko file to “lime.ko”
In the above image we have created a “ramdata.mem” file this contains all ram data at that point of time now we can verify it that the python variable we had created earlier
Type this command to check if variable value resides in ram or not
cat ramdata.mem | strings | grep "x=5"
we can cat the ramdata.mem and pipe it to strings because ram contains data in binary or other encodings so strings will convert it into a string and then we can grep with the variable name.
Now we have verified that value and variable is stored in the RAM memory, we can different tools and can do more analysis here to get details about CPU caches or every network connection details, socket information, website info, caches, tokens, passwords, usernames, encrypted disk data and a lot of other things.
You can Connect me here:
..…If you liked this article, please drop a clap so it can reach more people…..