Linux Memory Capture with LiME

When doing forensics, grabbing a capture of the live memory is vital. There are a few different programs out there to accomplish the task but in my testing, I felt LiME was the best choice. It wasn’t intrusive at all on the system and was pretty straightforward. Once I compiled it, I loaded it up on my flash drive and on I went. Below are the steps I took to achieve it all.

Notes: I am using a Kali system and will be moving the compiled LiME program to the target using a flash drive.

1) Make a directory for LiME.

root@localhost:~/Desktop# mkdir  ./lime

2) Change Directory into the newly created lime directory.

root@localhost:~/Desktop# cd ./lime

3) Download the code.

root@localhost:~/Desktop/lime# wget

4) Unzip

root@localhost:~/Desktop/lime# unzip /root/

5) Change directory into the src directory within the directory called LiME-master (unzipped from step 4)

root@localhost:~/Desktop/lime# cd /root/Desktop/lime/LiME-master/src

6) Ensure that there are no previous compiled object files in the folder

root@localhost:~/Desktop/lime/LiME-master/src# make clean

7) Compile the program.

root@localhost:~/Desktop/lime/LiME-master/src# make

8) Ensure that the LiME module compiled by looking to see if a .ko is now present in the src directory.

root@localhost:~/Desktop/lime/LiME-master/src# ls

9) Once verified that the LiME module is present, copy the compiled program onto the flash drive. In my case, my .ko file name is “lime-3.18.0-kali-amd64.ko”

root@localhost:~/Desktop/lime/LiME-master/src# cp lime-3.18.0-kali-amd64.ko /media/flash_drive_name/

10) Remove the flash drive from your system and plug it into the target system.

11) Insert the module into memory and specify an output filename.

root@target:~/Desktop# insmod /media/flash_drive_name/lime-3.18.0-kali-amd64.ko “path=/media/flash_drive_name/my_memory_dump.bin format=lime”

12) Verify that the memory capture was successful

root@target:~/Desktop# ls –l /media/flash_drive_name/my_memory_cappture.bin

13) Remove the LiME module from memory

root@target:~/Desktop# rmmod lime

14) Boom…. done!

Note: .bin is not the only format available for memory captures but since we will analyze the capture using Volatility, it is the suggested format.