How to read ram data in Linux?

parthanaboina praveen
5 min readSep 24, 2021

--

what is ram ?

Random-access memory (RAM) is a computer’s short-term memory. None of your programs, files or Apps would work without RAM, which is your computer’s working space.

What does RAM contains ?

username passwords
-Recently opened file which has been wiped from disk
-process information
-list of all running processes
-command-line information
-Unencrypted data from an encrypted disk
-keystrokes
-network information
-crypto keys and ton lot of more data.

So it’s basically clear that RAM is one of the most important components in determining your system’s performance. RAM gives applications a place to store and access data on a short-term basis.

Also one of the use cases to read ram data is considered when has hacker done some illegal activity and police need proofs regarding the same, they usually read the read the RAM of hackers machine which actually provides the tree chart.

There are multiple course of action to read RAM data each has its own use case I will explain one of the methods to read ram data.

The method that I will be using in that we will dump the whole ram data on disk and then we will read ram read data from it. I will show this in Linux-based Operating System.

We will use LiMe (Linux Memory Extractor) [Tool] to dump ram data on the disk.Since we are using linux operating system.

A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

We can simply download the source code and compile it to binary files with make. To perform ram acquisition but you can do this on any Linux based O.S.

Also install kernel headers to do ram acquisition.

# yum install kernel-devel kernel-headers -y

Also make sure you install the git package

# yum install git

Now we have to clone the GitHub repo of LiME

Now we can compile the source code of LiME… first, we need to navigate to the src directory

#cd LiME/src

Make” is typically used to build executable programs and libraries from source code. Generally though, Make is applicable to any process that involves executing arbitrary commands to transform a source file to a target result.

Install make first

#yum install make

Now we can simply type the “make” command it will compile the source code and give us a loadable kernel object file

#make

if you get any error here run below command

$ yum groupinstall “Development tools”
$ yum install elfutils-libelf-devel

after running this command again hit make keyword try agin run $make

Here,what we have done is that we have compile the LiMe for a specific kernel as loadable kernel object

Now let’s insert the kernel object we will provide the path and the format in which we want to save the image as

$ insmod ./lime-4.14.198–152.320.amzn2.x86_64.ko “path=./ramdata.mem format=raw

# mv lime-4.180.0.80.ele8_64_ko

# insmod ./lime.ko “path=./ramdata.mem format=raw”

NOTE: “When you compile LiME will append the kernel version to the file name. Make sure you are using the full .ko file name when using insmod, or rename the .ko file to “lime.ko”

In the above image we have created a “ramdata.mem” file this contains all ram data at that point of time now we can verify it that the python variable we had created earlier

Type this command to check if variable value resides in ram or not

$cat ramdata.mem | strings | grep “x=5”

we can cat the ramdata.mem and pipe it to strings because ram contains data in binary or other encodings so strings will convert it into a string and then we can grep with the variable name.

Now we have verified that value and variable is stored in the RAM memory, we can different tools and can do more analysis here to get details about CPU caches or every network connection details, socket information, website info, caches, tokens, passwords, usernames, encrypted disk data and a lot of other things.

--

--