What is RAM and What data it contains?
Random-access memory (RAM) is a computer’s short-term memory. None of your programs, files, or Netflix streams would work without RAM, which is your computer’s working space.
RAM is short for “random access memory” and while it might sound mysterious, RAM is one of the most fundamental elements of computing. RAM is the super-fast and temporary data storage space that a computer needs to access right now or in the next few moments.
Mark my word that ram contains the most valuable data of your Operating System which might or might never be written on Harddisk.
Here the list of what Data does Ram contains?
- list of all running processes
- process information
- command-line information
- username passwords
- Unencrypted data from an encrypted disk
- Recently opened file which has been wiped from disk
- keystrokes
- network information
- crypto keys and ton lot of more data.
Now you know what valuable data ram contains, So One of the use cases to read ram data is considered a hacker done some illegal activity and police need proofs regarding the same, if you can read the ram of hackers machine you have all the proofs that you need to prove some illegal activity has been done by a hacker there is much more use case.
So now, the question comes “How to read ram Data?”
There are a hell lot of ways to read ram data each has its own use case I will explain one of the methods to read ram data.
The Method I will explain in that we will dump the whole ram data on disk and then we will ram read data from it. I will show this in Linux-based O.S but in a similar way you can read ram from windows or mac. I will list the tool required for another O.S
Tools Required for dumping ram data on disk:
Linux based O.S
- LiME
MAC O.S
- MACMemoryReader
Windows O.S
- FTK Imager
There are many alternate tools to above I just listed the most famous ones.
Here Im Using LiME ~ Linux Memory Extractor
A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
This is the Github repo link for LiME:-
We will also need to install kernel headers to do ram acquisition.
yum install kernel-devel kernel-headers -y
Now we have to clone the GitHub repo of LiME
git clone https://github.com/Tanmay4443/LiME.git
Now we can compile the source code of LiME… first, we need to navigate to the src directory
cd LiME/src
Now we can simply type the “make” command it will compile the source code and give us a loadable kernel object file
make
But incase if you faced error while executing “make” command make sure that you run first <yum groupinstall ”Development tools”>
Source code has been compiled and we get a .ko extension file that is the nothing but a kernel object now we need to insert or load this kernel object but first let generate some data in ram so once we dump ram data we can verify it
We can start Python REPL and can create a list variable, because every book, teachers, article says that variable resides in RAM but no one show today we will verify if that’s true.
Create a variable “x” and Assign a value 5
Now let insert or load the kernel object…
insmod command will insert the kernel object and it will dump the ram data at the path we specified and there are different formats for memory file I am here using the raw format.
Depending on the ram size and disk I/O speed it will take time to dump ram data
we can cat the ramdata.mem and pipe it to strings because ram contains data in binary or other encodings so strings will convert it into a string and then we can grep with the variable name
cat ramdata.mem | string | grep "x=5"
~Tanmay Pathare