LiME – Linux Memory Extractor

Keep on Guard!


LiMe is a Loadable Kernel Module (LKM) Linux memory extractor which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

LiME - Linux Memory Extractor

Features

  • Full Android memory acquisition
  • Acquisition over network interface
  • Minimal process footprint

Usage

Detailed documentation on LiME’s usage and internals can be found in the “doc” directory of the project. LiME utilizes the insmod command to load the module, passing required arguments for its execution.


Examples

In this example we use adb to load LiME and then start it with acquisition performed over the network:

Now on the host machine, we can establish the connection and acquire memory using netcat

Acquiring to sdcard

You can download LiMe v1.7.2 here:

LiMe-v1.7.2.zip

Or read more here.


Posted in: Forensics, Hacking Tools

, , , , , , ,

Recent in Forensics:
- PowerShellArsenal – PowerShell For Reverse Engineering
- Androguard – Reverse Engineering & Malware Analysis For Android
- Volatility Framework – Advanced Memory Forensics Framework

Related Posts:

Most Read in Forensics:
- NetworkMiner – Passive Sniffer & Packet Analysis Tool for Windows - 66,839 views
- raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks - 35,773 views
- OpenDLP – Free & Open-Source Data Loss Prevention (DLP) Tool - 35,313 views


Comments are closed.