How to read data stored in RAM?(Memory Forensic)

What is RAM and What data RAM contains?

Random-access memory (RAM) is a computer’s short-term memory. None of your programs, files, or Netflix streams would work without RAM, which is your computer’s working space.

RAM is short for “random access memory” and while it might sound mysterious, RAM is one of the most fundamental elements of computing. RAM is the super-fast and temporary data storage space that a computer needs to access right now or in the next few moments.

Mark my word that ram contains the most valuable data of your Operating System which might or might never be written on Harddisk.

What does RAM contains ?

username passwords

-Recently opened file which has been wiped from disk

-process information

-list of all running processes

-command-line information

-Unencrypted data from an encrypted disk

-keystrokes

-network information

-crypto keys and ton lot of more data.

So it’s basically clear that RAM is one of the most important components in determining your system’s performance. RAM gives applications a place to store and access data on a short-term basis.

Also one of the use cases to read ram data is considered when has hacker done some illegal activity and police need proofs regarding the same, they usually read the read the RAM of hackers machine which actually provides the tree chart.

So then How can one read what data is inside one’s RAM?

There are multiple course of action to read RAM data each has its own use case I will explain one of the methods to read ram data.

The method that I will be using in that we will dump the whole ram data on disk and then we will read ram read data from it. I will show this in Linux-based Operating System.

But in a similar way you can read ram from windows or mac.

Tools Required for dumping ram data on disk:

Linux based O.S

• LiME
• Linux Memory Grabber
• fmem

MAC O.S

• MACMemoryReader
• Goldfish
• OSXPMem

Windows O.S

• FTK Imager
• Winen

There are many tools I just listed few them to know more these tools click on the link below:

Let’s get started,

We will use LiMe (Linux Memory Extractor) to dump ram data on the disk.Since we are using linux operating system.

A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

We can simply download the source code and compile it to binary files with make. To perform ram acquisition but you can do this on any Linux based O.S.

Also install kernel headers to do ram acquisition.

yum install kernel-devel kernel-headers -y        

I already have the package installed.

Also make sure you install the git package

yum install git        

After installing your screen will look like this,

Now we have to clone the GitHub repo of LiME

git clone https://github.com/504ensicsLabs/LiME.git        

Now we can compile the source code of LiME… first, we need to navigate to the src directory

cd LiMe/src        

“Make” is typically used to build executable programs and libraries from source code. Generally though, Make is applicable to any process that involves executing arbitrary commands to transform a source file to a target result.

Install make first

yum install make        

Now we can simply type the “make” command it will compile the source code and give us a loadable kernel object file

make        

if you get this error make sure you install two more package/module

yum groupinstall "Development tools"
yum install elfutils-libelf-devel        

After running this command again hit make keyword

make        

Here,what we have done is that we have compile the LiMe for a specific kernel as loadable kernel object.

But before we have to generate some data in ram so once we dump ram data we can verify with it.

Now let’s insert the kernel object we will provide the path and the format in which we want to save the image as

insmod ./lime-4.14.198-152.320.amzn2.x86_64.ko "path=./ramdata.mem format=raw"        

Depending on the ram size and disk I/O speed it will take time to dump ram data. you can give any name to folder like I have provided “ramdata.mem”

NOTE: “When you compile LiME will append the kernel version to the file name. Make sure you are using the full .ko file name when using insmod, or rename the .ko file to “lime.ko”

In the above image we have created a “ramdata.mem” file this contains all ram data at that point of time now we can verify it that the python variable we had created earlier

Type this command to check if variable value resides in ram or not

cat ramdata.mem | strings | grep "x=5"        

Now we have verified that value and variable is stored in the RAM memory, we can different tools and can do more analysis here to get details about CPU caches or every network connection details, socket information, website info, caches, tokens, passwords, usernames, encrypted disk data and a lot of other things.

..…If you liked this article, please drop a clap so it can reach more people…..

Thank You for Reading