How to Read RAM Data?

What is RAM and What data it contains?

Random-access memory (RAM) is a computer’s short-term memory. None of your programs, files, or Netflix streams would work without RAM, which is your computer’s working space.

RAM is short for “random access memory” and while it might sound mysterious, RAM is one of the most fundamental elements of computing. RAM is the super-fast and temporary data storage space that a computer needs to access right now or in the next few moments.

The ram contains the most valuable data of your Operating System which might or might never be written on Hard disk.

Here the list of what Data does Ram contains?

·???????list of all running processes

·???????process information

·???????command-line information

·???????username passwords

·???????Unencrypted data from an encrypted disk

·???????Recently opened file which has been wiped from disk

·???????keystrokes

·???????network information

·???????crypto keys and ton lot of more data.

So then How to read ram Data?

There are a hell lot of ways to read ram data each has its own use case I will explain one of the methods to read ram data.

This Method will explain in that we will dump the whole ram data on disk and then we will ram read data from it. I will show this in Linux-based O.S but in a similar way you can read ram from windows or mac. I will list the tool required for another O.S

Tools Required for dumping ram data on disk:

Linux based O.S

·???????LiME

MAC O.S

·???????MACMemoryReader

Windows O.S

·???????FTK Imager

There are many alternate tools to above I just listed the most famous ones.

Let’s get Started…

Before 10 years or on Old Linux versions you can read ram data directly from mount points /dev/mem or /dev/kmem with user access, it is easy to read ram but it also becomes easy to for malware virus to abuse Since most of the malware resident on ram not on disk because they can be detected by antivirus. Due to increasing abuse by malware Now in the latest versions of Linux you can not read ram data directly from these mount points now To read ram we need kernel access.

We will use LiMe (Linux Memory Extractor) to dump ram data on the disk.

LiME ~ Linux Memory Extractor

A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

This is the GitHub repo link for LiME:

We can simply download the source code and compile it to binary files with make.

Compile the source code on the same machine, where i want to read ram.

We will also need to install kernel headers to do ram acquisition.

yum install kernel-devel kernel-headers -y        

Now we have to clone the GitHub repo of LiME

Now we can compile the source code of LiME… first, we need to navigate to the src directory

cd LiME/src        

Now we can simply type the “make” command it will compile the source code and give us a loadable kernel object file.

make        

You will get this error, to solve this error we need to install two more packages. i.e., Development tools, elfutils-libelf-devel

After installing the above packages, run the make command

make        

Source code has been compiled and we get a “.ko” extension file that is the nothing but a kernel object now we need to insert or load this kernel object, but first let’s generate some data in ram, for example: create a variable in python, aster that we can prove that the variable is stored in ram, After that we dump ram data to verify it.

Renaming lime-4.18.0-305.el8.x86_64.ko to lime.ko

mv lime-4.18.0-305.el8.x86_64.ko to lime.ko        

We can start Python REPL and can create a list variable, because every book, teachers, article says that variable resides in RAM but no one show today we will verify if that's true.

I am creating a list with my name in python REPL

Now let insert or load the kernel object…

insmod ./lime-4.18.0-305.el8.x86_64.ko "path=./ram-data.mem format=raw"

or

insmod ./lime.ko "path=./ram-data.mem format=raw""        

insmod?command will insert the kernel object and it will dump the ram data at the path we specified and there are different formats for memory file I am here using the raw format.

Depending on the ram size and disk I/O speed it will take time to dump ram data.

In the above image a?ram-data.mem?file is created that contain all the ram data at that point in time now we can verify it that the python variable we created earlier resides in ram or not

cat ram-data.mem | strings | grep "Anudeep

cat ram-data.mem | strings | grep "anup=11""        

we can cat the ram-data.mem and pipe it to strings because ram contains data in binary or other encodings so strings will convert it into a string and then we can grep with the variable name

You see that we verified that the variable we created earlier present in RAM.

That’s it for this Article.

If you liked this article, please drop a clap so it can reach more people.