How to read RAM data
What is RAM ?
Random-access memory (RAM) is a computer’s short-term memory.
RAM is short for “random access memory” and while it might sound mysterious, RAM is one of the most fundamental elements of computing. RAM is the super-fast and temporary data storage space that a computer needs to access right now or in the next few moments.
Here the list of what Data does Ram contains?
✔️ list of all running processes
✔️ process information
✔️command-line information
✔️username passwords
✔️Unencrypted data from an encrypted disk
✔️Recently opened file which has been wiped from disk
✔️keystrokes
✔️network information
✔️crypto keys and ton lot of more data.
How to read ram Data?
LiME ~ Linux Memory Extractor
A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
STEPS TO READ THE DATA FROM RAM :-
We need to install kernel headers to do RAM acquisition. Then we can clone the LiME repo.
yum install kernel-devel kernel-headers -yyum install gitThen clone the LiME github repo.
Then we have to navigate to the src directory of the LiME.
Now we can simply type the “make” command it will compile the source code and give us a loadable kernel object file. “make” is typically used to build executable programs and libraries from source code. Generally though, make is applicable to any process that involves executing arbitrary commands to transform a source file to a target result.
Here, what we have done is that we have compile the LiMe for a specific kernel as loadable kernel object.
But before we have to generate some data in RAM so once we dump RAM data we can verify with it.
Now let’s insert the kernel object, we will provide the path and the format in which we want to save the image as
insmod ./lime-4.18.0-305.el8.x86_64.ko "path=./ramdata.mem format=raw"insmod command will insert the kernel object and it will dump the RAM data at the path we specified and there are different formats for memory file. Here, I am using the raw format. Depending on the ram size and disk I/O speed it will take time to dump ram data. you can give any name to folder like I have provided “ramdata.mem”
In the above image a ramdata.mem file is created that contain all the ram data at that point in time now we can verify it that the python variable we created earlier resides in RAM or not.
cat ramdata.mem | strings | grep "x=5"In this way, we can read the RAM data. Also, we can prove that the variables are stored in RAM while coding.
