Simplify Linux digital forensics!
LiMEaide is a python application developed by Daryl Bennett that can remotely dump RAM of a Linux client.
It can also create a volatility profile for later analysis.
In order to use LiMEaide all you need to do is feed a remote Linux client IP address, sit back, and consume your favorite caffeinated beverage.
How does it work?
- Make a remote connection with specified client over SHH
- Transfer necessary build files to the remote machine
- Build the memory scrapping Loadable Kernel Module (LKM) LiME
- LKM will dump RAM
- Transfer RAM dump and RAM maps back to host
- Build a Volatility profile
Installation
In order to use LiMEaide you need to resolve some dependencies.
paramiko and termcolor
sudo apt-get install python3-paramiko python3-termcolor
dwarfdump
sudo apt-get install dwarfdump
LiME
- Download LiME v1.7.8
- Extract into LiMEaide/tools/
- Rename folder to LiME
More information and downloads
References
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and MAC Memory
LiMEaide: remotely dump RAM of a Linux client was originally published in So Long, and Thanks for All the Fish on Medium, where people are continuing the conversation by highlighting and responding to this story.
Article Link: https://andreafortuna.org/limeaide-remotely-dump-ram-of-a-linux-client-327cc52902d9?source=rss----bf18ac17f001---4