When doing forensics, grabbing a capture of the live memory is vital. There are a few different programs out there to accomplish the task but in my testing, I felt LiME was the best choice. It wasn’t intrusive at all on the system and was pretty straightforward. Once I compiled it, I loaded it up on my flash drive and on I went. Below are the steps I took to achieve it all.
Notes: I am using a Kali system and will be moving the compiled LiME program to the target using a flash drive.
1) Make a directory for LiME.
root@localhost:~/Desktop# mkdir ./lime
2) Change Directory into the newly created lime directory.
root@localhost:~/Desktop# cd ./lime
3) Download the code.
root@localhost:~/Desktop/lime# wget https://github.com/504ensicsLabs/LiME/archive/master.zip
4) Unzip master.zip.
root@localhost:~/Desktop/lime# unzip /root/master.zip
5) Change directory into the src directory within the directory called LiME-master (unzipped from step 4)
root@localhost:~/Desktop/lime# cd /root/Desktop/lime/LiME-master/src
6) Ensure that there are no previous compiled object files in the folder
root@localhost:~/Desktop/lime/LiME-master/src# make clean
7) Compile the program.
8) Ensure that the LiME module compiled by looking to see if a .ko is now present in the src directory.
9) Once verified that the LiME module is present, copy the compiled program onto the flash drive. In my case, my .ko file name is “lime-3.18.0-kali-amd64.ko”
root@localhost:~/Desktop/lime/LiME-master/src# cp lime-3.18.0-kali-amd64.ko /media/flash_drive_name/
10) Remove the flash drive from your system and plug it into the target system.
11) Insert the module into memory and specify an output filename.
root@target:~/Desktop# insmod /media/flash_drive_name/lime-3.18.0-kali-amd64.ko “path=/media/flash_drive_name/my_memory_dump.bin format=lime”
12) Verify that the memory capture was successful
root@target:~/Desktop# ls –l /media/flash_drive_name/my_memory_cappture.bin
13) Remove the LiME module from memory
root@target:~/Desktop# rmmod lime
14) Boom…. done!
Note: .bin is not the only format available for memory captures but since we will analyze the capture using Volatility, it is the suggested format.