*How To Read Ram in Linux*

What is RAM?

RAM stands for random access memory. This is where a PC stores data before it’s processed. … RAM is a form of volatile memory, which means that it only holds onto data while the chip is powered and erases everything when you shut down the PC. RAM memory is measured in gigabytes (GB).

RAM is temporary storage that goes away when the power turns off. So what is RAM used for, then? It’s very fast, which makes it ideal for things the computer is actively working on, such as applications that are currently running (for example, the web browser in which you’re reading this article) and the data those applications work on or with.

Let’s Started…

In old Linux versions, user was able to read the entire RAM directly from “/dev/kmem” with user access but, it also became easy for malware to abuse. Due to increase in malwares, security is more increased and RAM cannot be accessed easily. Also, the contents of RAM is changed very frequently with other data/instructions.
So, if we store a value inside any variable, it is loaded on RAM but, is difficult to read the entire RAM. Even if we do read RAM, every thing would be in binary format hence, again we need to convert it into human-understandable form.

LiMe

we can use LiMe (Linux Memory Extractor) to dump ram data on the disk.

LiMe is a Loadable Kernel Module (LKM) Linux memory extractor which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

Detailed documentation on LiME’s usage and internals can be found in the “doc” directory of the project. LiME utilizes the insmod command to load the module, passing required arguments for its execution.

we using Redhat version 8.0 to perform ram acquisition but you can do this on any Linux based O.S.

yum install kernel-devel kernel-headers 

git clone https://github.com/504ensicsLabs/LiME.git

Clone the GitHub repo of LiME

Now see in src folder we have the Lime files in it

make

Run the ‘make’ command it will compile the source code and give us a loadable kernel object file. In rhel 8 we already have make command incase you don’t we can install it with ‘yum install make’.

Source code has been compiled and we get a .ko extension file that is the nothing but a kernel object now we need to insert or load this kernel object but first let generate some data in ram so once we dump ram data we can verify it.

Using python repel create a variable like ‘x=55’ so that we search it on the ram.

Now let insert or load the kernel object

insmod ./lime-4.14.198-152.320.amzn2.x86_64.ko "path=./ramdata.mem format=raw".

insmod command will insert the kernel object and it will dump the ram data at the path we specified and there are different formats for memory file I am here using the raw format. Depending on the ram size and disk I/O speed it will take time to dump ram data.

The ramdata.mem file which contains all current time the ram data of the system we can search for the variable that we had created is there on the ram or not .

cat ramdata.mem | strings | grep "x=9"

In this way, we can read the RAM data. Also, we can prove that the variables are stored in RAM while coding.

~~Thank you