How to read data stored in RAM

RAM (Random Access Memory) is the hardware in a computing device where the operating system (OS), application programs and data in current use are kept so they can be quickly reached by the device’s processor. RAM is the main memory in a computer. It is much faster to read from and write to than other kinds of storage, such as a hard disk drive (HDD), solid-state drive (SSD) or optical drive.

The term random access as applied to RAM comes from the fact that any storage location, also known as any memory address, can be accessed directly. Originally, the term Random Access Memory was used to distinguish regular core memory from offline memory.

So then How to read ram Data?

There are a hell lot of ways to read ram data each has its own use case I will explain one of the methods to read ram data.

The Method I will explain in that we will dump the whole ram data on disk and then we will ram read data from it. I will show this in Linux-based O.S.

We will use LiMe (Linux Memory Extractor) to dump ram data on the disk.

LiME (Linux Memory Extractor)

A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

install kernel headers to do ram acquisition.

yum install kernel-devel kernel-headers -y

Install git and clone the LiME github repo

# yum install git
# git clone https://github.com/504ensicsLabs/LiME.git

Now navigate to the src directory of the LiME.

Type the “make” command it will compile the source code and give us a loadable kernel object file. “make” is typically used to build executable programs and libraries from source code. Generally though, Make is applicable to any process that involves executing arbitrary commands to transform a source file to a target result.

Here, what we have done is that we have compile the LiMe for a specific kernel as loadable kernel object.

generate some data in ram so once we dump ram data we can verify with it.

Now we will insert the kernel object we have to provide the path and the format in which we want to save the image as

insmod ./lime-4.18.0-305.el8.x86_64.ko "path=./ramdata.mem format=raw"

insmod command will insert the kernel object and it will dump the ram data at the path we specified and there are different formats for memory file I am here using the raw format. Depending on the ram size and disk I/O speed it will take time to dump ram data. you can give any name to folder like I have provided “ramdata.mem”

In the above image a ramdata.mem file is created that contain all the ram data at that point in time now we can verify it that the python variable we created earlier resides in ram or not.

cat ramdata.mem | strings | grep "x=5"

Here you can see x=5.

Thanks for your Time!!