--- tags: forensics-tutorials --- # Volatile memory acquisition :::info **In this short demo you will:** - Ho to perform volatile memory acquisition ::: Get the LiME (Linux Memory Extractor) source code from https://github.com/504ensicsLabs/LiME Next step is to run LiME with the insmod command. This step will acquire a memory sample in LiME format and in this case I also told LiME to produce a hash of the acquired memory sample. As an example the memory capture is written to disk but in a real incident is should be written to a network share, removable media sent via the network. Finally, you can remove the module with rmmod. ``` ~$/LiME/src$ sudo insmod ./lime-5.6.2-050602-generic.ko "path=/tmp/limeImage.mem format=raw timeout=0" ~$ sudo rmmod lime ``` Check the hash: ``` ~$/LiME/src$ md5sum /tmp/limeImage.mem ``` Now you can use the `strings` command to print the strings of printable characters in your image file ``` cat limeImage.mem | strings ``` You can also use the `grep` command to search for some word. For example: ``` cat limeImage.mem | strings | grep "some word" ``` or even (if you want to send the data to a file) ``` cat limeImage.mem | strings > dictionary.txt ``` Finally, you can analyse the files by using photorec as shown below: ``` photorec limeImage.mem ```