How to read data that is stored in RAM ?
RAM, which stands for Random Access Memory, is a hardware device generally located on the motherboard of a computer and acts as an internal memory of the CPU. It allows CPU store data, program, and program results when you switch on the computer. It is the read and write memory of a computer, which means the information can be written to it as well as read from it.RAM is essentially a device’s short-term memory. It temporarily stores (remembers) everything currently running on a device, like all OS-specific services and any web browser, image editor, or game you’re playing.
RAM prevents the CPU from digging through the device’s slower storage — like a hard drive or even a solid-state drive (SSD) — every time you request a new browser tab or load a new enemy to shoot. As fast as storage is compared to drives of years gone by, they’re still far slower than RAM.
Data that resides in RAM is readable from any capable component at almost the same speed. Because it has a hard-wired connection to the device, there’s no real latency in cabling or connection.RAM doesn’t remember everything forever, however. It’s a “volatile” technology, meaning that once it loses power, it forgets everything. That makes it perfect for handling the multitude of high-speed tasks that our device throws at it each day.
How to read data stored in RAM ?
There are many ways in which we can read data of RAM in linux. The method we are using is — we will simply dump the complete data of RAM in our disk then, we will read it. In Linux-OS we require the tool LiME(Linux Memory Extractor).
What is LiME ?
A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
This is the Github repo link for LiME:-
We can simply download the source code and compile it to binary files with make.
We will also need to install kernel headers to do ram acquisition.
yum install kernel-devel kernel-headers -y
We will also need to install git package.
yum install gitNow we have to clone the GitHub repo of LiME.
git clone https://github.com/504ensicsLabs/LiME.git
Now we can compile the source code of LiME… first, we need to navigate to the src directory
cd LiMe/src
Make is typically used to build executable programs and libraries from source code. Generally though, Make is applicable to any process that involves executing arbitrary commands to transform a source file to a target result.
Now we can simply type the “make” command it will compile the source code and give us a loadable kernel object file
make
Here,what we have done is that we have compile the LiMe for a specific kernel as loadable kernel object. But before we have to generate some data in ram so once we dump ram data we can verify with it.
Now let’s insert the kernel object we will provide the path and the format in which we want to save the image as
insmod ./lime-4.14.198-152.320.amzn2.x86_64.ko "path=./ramdata.mem format=raw"Depending on the ram size and disk I/O speed it will take time to dump ram data. you can give any name to folder like I have provided “ramdata.mem”.
NOTE: “When you compile LiME will append the kernel version to the file name. Make sure you are using the full .ko file name when using insmod, or rename the .ko file to “lime.ko”.
In the above image we have created a “ramdata.mem” file this contains all ram data at that point of time now we can verify it that the python variable we had created earlier
Type this command to check if variable value resides in ram or not
cat ramdata.mem | strings | grep "x=5"
We can cat the ramdata.mem and pipe it to strings because ram contains data in binary or other encodings so strings will convert it into a string and then we can grep with the variable name.
Now we have verified that value and variable is stored in the RAM memory, we can different tools and can do more analysis here to get details about CPU caches or every network connection details, socket information, website info, caches, tokens, passwords, usernames, encrypted disk data and a lot of other things.
Thank you for reading ✔✔
My LinkedIn profile: https://www.linkedin.com/in/dolly-chauhan-28225b208
