Memory Dump Analysis: Using LiME for Acquisition and Volatility for Initial Setup

Read Time:3 Minute, 10 Second

The content of this post is solely the responsibility of the author.  LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Memory dump analysis is a crucial aspect of digital forensics, offering a snapshot of a system’s volatile memory at a specific point in time. This can uncover critical evidence such as running processes, open network connections, and in-memory malware execution that disk analysis might miss. In a previous blog, we learnt how to use fmem for volatile memory acquisition. In this blog, we will explore how to create memory dumps using LiME (Linux Memory Extractor) and how to further begin with our analysis process using volatility framework in our upcoming blogs.

What is LiME?

A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

Why is Memory Dump Analysis Important?

Memory dump analysis is vital in digital forensics for several reasons:

Uncovering Hidden Data: RAM contains transient data not stored on disk, such as encryption keys and in-memory malware.

Understanding System State: Memory dumps provide a snapot of active processes, open files, and network connections.

Detecting Malicious Activity: Analysis can reveal the presence and behavior of malware that operates primarily in memory.

Installing and Setting Up LiME

To use LiME, you’ll need to build it from source. Follow these steps to install and set up LiME:

Clone the LiME Repository: To clone into LiME Repository, you can use git clone:

git clone https://github.com/504ensicsLabs/LiME.git

Ensure you have the Linux kernel headers and build tools installed.

To install build essentials, you can use: sudo apt install build-essential

Now, navigate into src subdirectory under Lime directory:

cd LiME/src

Compile the LiME Module:

Now, use make to compile the LiME module:

make

Load the Module:

Use insmod to load the module into the kernel.

Specify the path and format for the memory dump:

sudo insmod lime.ko “path=/path/to/dump.mem format=raw”

LiME allows you to create memory dumps in various formats and save them either locally or over a network. Here’s how to do it:

Save to a File:

sudo insmod lime.ko “path=/path/to/dump.mem format=raw”

You can check by going to path directory, you will see a .mem file.

Save Over a Network:

sudo insmod lime.ko “path=tcp:192.168.1.2:4444 format=lime”

Replace 192.168.1.2 with the IP address of the receiving machine and 4444 with the desired port.

Analyzing Memory Dumps with Volatility Framework

Volatility is an advanced open-source memory forensics framework for incident response and malware analysis. It supports a wide range of memory dump formats and offers various plugins for analyzing different aspects of memory dumps.

Install Volatility: git clone

https://github.com/volatilityfoundation/volatility3.git

Navigate to Volatility3 directory and install required dependencies.

After installing the dependencies, you can use command python3 vol.py -followed by argument

In the below screenshot we wanted to see the help section, so we gave the -h argument.

Memory dump acquisition using LiME and analysis using Volatility Framework is a powerful technique in digital forensics, uncovering valuable insights from a system’s volatile memory. By following this guide, you can effectively capture memory dumps, enhancing your digital forensics knowledge on various ways to acquire a memory dump. We will look further into volatility framework in our next blog.

Read More

USN-6856-1: FontForge vulnerabilities

Read Time:25 Second

It was discovered that FontForge incorrectly handled filenames. If a user or an
automated system were tricked into opening a specially crafted input file, a
remote attacker could possibly use this issue to perform a command injection.
(CVE-2024-25081)

It was discovered that FontForge incorrectly handled archives and compressed
files. If a user or an automated system were tricked into opening a specially
crafted input file, a remote attacker could possibly use this issue to perform
command injection. (CVE-2024-25082)

Read More

Polyfill.io Supply Chain Attack

Read Time:43 Second

What is the attack?Over 100,000+ sites have been impacted by a supply chain attack involving the Polyfill.io service. Polyfill is a popular tool used for enhancing browser capabilities by hundreds of thousands of sites to ensure that all website visitors can use the same codebase for unsupported functionality. Earlier this year, the polyfill.io domain was purchased, and the script was modified to redirect users to malicious and scam sites.What is the recommended Mitigation?Given the confirmed malicious operations, owners of websites using polyfill.io are advised to remove it immediately and search their code repositories for instances of polyfill.io. Users are also advised to consider using alternate services provided by Cloudflare and Fastly.What FortiGuard Coverage is available?FortiGuard Labs’ research team is investigating the coverage and has blocked all the known Indicators of compromise (IoCs).

Read More

USN-6854-1: OpenSSL vulnerability

Read Time:14 Second

It was discovered that OpenSSL failed to choose an appropriately short
private key size when computing shared-secrets in the Diffie-Hellman Key
Agreement Protocol. A remote attacker could possibly use this issue to cause
OpenSSL to consume resources, resulting in a denial of service.

Read More

Smashing Security podcast #378: Julian Assange, inside a DDoS attack, and deepfake traumas

Read Time:18 Second

Wikileaks’s Julian Assange is a free man, deepfakes cause trouble in the playground, and we hear hot takes about ransomware and tales from inside a devastating denial-of-service attack.

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Eleanor Dallaway.

Read More