When doing forensics, grabbing a capture of the live memory is vital. There are a few different programs out there to accomplish the task but in my testing, I felt LiME was the best choice. It wasn’t intrusive at all on the system and was pretty straightforward. Once I compiled it, I loaded it up on my flash drive and on I went. Below are the steps I took to achieve it all.
Notes: I am using a Kali system and will be moving the compiled LiME program to the target using a flash drive.
1) Make a directory for LiME.
root@localhost:~/Desktop# mkdir ./lime
2) Change Directory into the newly created lime directory.
root@localhost:~/Desktop# cd ./lime
3) Download the code.
root@localhost:~/Desktop/lime# wget https://github.com/504ensicsLabs/LiME/archive/master.zip
4) Unzip master.zip.
root@localhost:~/Desktop/lime# unzip /root/master.zip
5) Change directory into the src directory within the directory called LiME-master (unzipped from step 4)
root@localhost:~/Desktop/lime# cd /root/Desktop/lime/LiME-master/src
6) Ensure that there are no previous compiled object files in the folder
root@localhost:~/Desktop/lime/LiME-master/src# make clean
7) Compile the program.
root@localhost:~/Desktop/lime/LiME-master/src# make
8) Ensure that the LiME module compiled by looking to see if a .ko is now present in the src directory.
root@localhost:~/Desktop/lime/LiME-master/src# ls
9) Once verified that the LiME module is present, copy the compiled program onto the flash drive. In my case, my .ko file name is “lime-3.18.0-kali-amd64.ko”
root@localhost:~/Desktop/lime/LiME-master/src# cp lime-3.18.0-kali-amd64.ko /media/flash_drive_name/
10) Remove the flash drive from your system and plug it into the target system.
11) Insert the module into memory and specify an output filename.
root@target:~/Desktop# insmod /media/flash_drive_name/lime-3.18.0-kali-amd64.ko “path=/media/flash_drive_name/my_memory_dump.bin format=lime”
12) Verify that the memory capture was successful
root@target:~/Desktop# ls –l /media/flash_drive_name/my_memory_cappture.bin
13) Remove the LiME module from memory
root@target:~/Desktop# rmmod lime
14) Boom…. done!
Note: .bin is not the only format available for memory captures but since we will analyze the capture using Volatility, it is the suggested format.