Home > Uncategorized > Step by step Guide to using LiME – The Linux Memory Extractor

Step by step Guide to using LiME – The Linux Memory Extractor

I’m no expert on dumping RAM memory from Linux machines, i’m just trying to explain the steps that i used to get it working – because it was not as intuitive for a n00b like me )

Note: The best way (and possibly the most forensically sound way) is to have the LiME source compiled (?) earlier on another Linux machine, then you transfer the resulting files (in this case a “.ko” file ) onto a USB drive that you will use to plug into the “suspect” Linux machine and dump the memory onto the USB disk (Make sure you have a large enough USB disk to dump the memory).

  • Download the LiME source code from the Google Code repository ( https://code.google.com/p/lime-forensics/ )
  • Compile it using the Linux “make” command. It looked something like this for me:
    user1@UbuntuMachine: /media/USBDriveName/lime-forensics-1.1-r17/src$ make
  • The result was that it created a “.ko” file in the current directory:
  • Now move the USB to the suspect machine. In this case an Ubuntu 32-bit machine. Plug the USB extraction drive into the machine (assuming that it mounts successfully, otherwise you have to mount it yourself. This isn’t very forensically sound, but there’s not much choice here).
  • Run the command:
    suspect@UbuntuSuspectMachine: /media/USBDriveName/lime-forensics-1.1-r17/src$ sudo insmod lime-3.2.0-59-generic.ko "path=/media/USBDriveName/myRAMDump.lime format=raw"

It is important that you put both the path parameter and the format parameter in the command, otherwise you’ll get the “-1 invalid parameters” error. The documentation also says that for Ubuntu you’ll need the quotes around the path and format parameters, while in other distributions like CentOS and RedHat you won’t need them.

NB: I compiled it directly on a USB drive and used it as is on the same  USB

More about the LiME Linux Memory Extractor can be found in their documentation at the Google Code repository. There’s a PDF with the documentation that you can download (https://code.google.com/p/lime-forensics/downloads/list)

Categories: Uncategorized Tags: , , ,
  1. Lee
    May 26, 2016 at 7:52 AM

    while executing dump command from the folder where ‘make’ is done :
    sudo insmod lime-4.2.0-27-generic.ko “path=/home/ubuntu.lime format=lime”
    ERROR obtained is:

    insmod: ERROR: could not insert module lime-4.2.0-27-generic.ko: File exists

    make was successful. This happened when i was dumping for the second time.First time, it created a dump. Mine is Ubuntu 14.04 system. What to do??? pls help

    • Irvin H.
      December 25, 2016 at 2:04 AM

      Sorry, i haven’t looked at the comments for a while … i’ll have to look into this.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: