 Welcome back everyone. Today we're talking about acquiring RAM from an AWS EC2 instance running Amazon Linux 2. We'll be using Lime for the acquisition. See the link for Lime below the video. So our first assumptions are SSH access to the target with Amazon Web Services, especially with EC2. That usually means a target ID file, which you'll find as a dot PEM. So whoever owns that instance should be able to give that to you or be looking for PEMs if you're acquiring this file locally from a suspect system and you're trying to get access. You also need the username especially. If you have the PEM file and you have the username, you should be able to authenticate unless they've also set a password. The local password for the user would be useful in case you need to enter it. By default, you can do a lot of things even using sudo in AWS just with this PEM and username. However, it doesn't take much to add more security. So you might also need passwords or further authentication methods. So that brings us to sudo permissions on the target. So the ability to switch to a super user or get extra permissions, this is on by default as well. And then known allowed outgoing ports on the target firewall, especially Amazon Web Services, outgoing connections are not usually limited, but that's an easy rule to create. So whoever was running the system could have added firewall rules to disallow outgoing connections on particular ports. So make sure you know whether you can actually have an outgoing connection on a specific port. That being said, you also need allowed incoming ports on your forensic server firewall. So if you're blocking incoming connections into your forensic server, that's going to be a problem. And in this case, we're using port 4444 to make the connections between our forensic server and the target system. Basically, make sure that you're able to do outgoing connections on the target system, you're able to allow incoming connections on your forensic server, and you have the ability to log in and get administrative privileges on the target system. This method will work on any remote Linux system, the same steps, essentially, you're going to have to find, for example, the kernel version on our target system, compile lime on a different system with the same kernel version, and then move those binaries over and then transfer the acquired memory image out. That's basically the way that this works. So this will generalize to most remote Linux systems, as long as you can find the same kernel version. This setup is a little bit complex. So on the top, I have our forensic workstation. And on the bottom, I have our target system. Both of these are, it's an EC2 instance running Amazon Linux 2 for both the target, and then I created a forensic server based on the same spec as our target. That way I have hopefully the same kernel version. The first thing we need to do on the target system is try to prevent as many changes to the system as possible. We already have a single login event because I've connected with SSH using the target's identity file. I want to prevent adding any information to the command line. So the command line does keep a history, so I'm going to turn that off. So I'm going to type set plus o, it's not a zero, it's an o history. And then what that's going to do is basically shut off history logging for the command prompt that I'm in. So that way we're not changing the bash history very much and hopefully it's not logging any of that in memory. So we're reducing our memory footprint. We hopefully don't have to type too many commands to actually get the image out, but we want to try to reduce that as much as possible. Just don't forget to turn it back on. So next on the target system I'm going to be running uname-a. And this will give me a lot of information about the target system that I'm dealing with. That way I can or build a system based around its specs. So uname-a gives me a lot of information about the system. But what I'm mostly interested in right now, although I would document all this, what I'm mostly interested in is the 4.14243. That is the kernel version that's currently running in this Amazon Linux to instance. So whenever I'm compiling Lime, I need to find a system with the same kernel version. Well, we're already running on Amazon. If I have an Amazon account, I can spin up a similar instance and hopefully get the same kernel. So on my forensic workstation or my forensic server here, I spun up essentially the same exactly same type of instance. And if we run uname-a on our forensic server instance, we also have kernel version 4.14243. So that's good. If you run into a server that's been running for a very long time, you might not have the most updated kernel version, although I do think they do hot swapping most of the time. So you might have to try to roll back an instance, start an instance that you control and then roll back the kernel version until you get to the same version that's currently running in the target system or run a system locally that you have a little bit more control over the kernels and then choose the kernel version directly. So you don't have to use an Amazon instance to compile against, but it tends to be a little bit easier because it's most likely that they're going to have the same kernel version running. So next we have the kernel version on our target system and we've shut off the history. So that's good. We don't need to type anything else on there. We can actually start to work on our forensic server to get everything set up. So the next thing we need to do is install a couple different programs that will help us along the way. So we need to do sudo yum. Yum is the package manager that Amazon Linux 2 uses. sudo yum install, we want to use git. That way we can actually git lime download it. We need netcat. That way we can transfer data between systems and we also need kernel headers. Lime is going to need to compile against kernel headers. So we need to download those as well. So we will install kernel headers and kernel devl and just kernel just in case we don't already have it. Okay. So the next thing I do is sudo yum install git. If it's not already installed, netcat, if it's not already installed in Amazon Linux 2, both of those are not installed by default. Kernel headers, kernel devl and just kernel. And then that should give us all of the development files plus allow us to download lime and we have netcat installed. That way we can use it. Okay. So hit enter. Do you want to install everything? Yes. So now that that's complete, we didn't have any errors. I should be able to type git-h and then we do see the git help menu. I'm going to clear that. I don't have anything in this directory except the target's identity file. I'm going to do git clone and then the URL for the lime repository on GitHub. So when we run that, it will go out and download that repository. And then I'll have a folder in this directory that I was in. So next I need to do cd change directory to lime. And then there's another folder in there called src. So now I'm in the lime source directory. And if I do ls, then I can see all the source code for lime. And we have a make file. Now all I need to run is make and we should compile lime against the current version of the kernel that's in my forensic server. This one that I'm accessing right now. This is not our target system. It's not the suspect system. We haven't touched the suspect system except to get the kernel version. But if I run make, we're building against all of those kernel development files. And then we see at the end, it moved lime.co to the lime dash, and then it has a kernel version here. So if I do ls, then I can see this lime.co. And that's our kernel object that we want. I'm going to go ahead and make a copy of lime.4.co. And I'm just going to call it lime.co, because it'll be much easier to work with whenever I'm working with it, all right? So everything that we do, it will be with lime.co. Now we have lime compiled against the current kernel. And I need to get like that kernel object over to the target system. And we also need a way to transfer information out of the target system into our forensic server. I know that Amazon Linux 2 does not come pre-installed with Netcat. So we can't use Netcat by default. So I'm going to send Netcat over to our target system, type which in C, and that'll tell us where Netcat is currently located, all right? So we already have that. So we have Netcat and we have the lime.co file. I'm going to type scp, this is secure copy, and then dash i, and I give dash i or scp essentially that identity file for the target system, that PEM file, that was located at just in the directory. And I think I called it defersiaws test dot PEM, I'm going to copy the lime.co kernel object, right? And then where do I want to send it? I want to send it to the target system. So the first thing I need is the username that I'm going to use by default, we use the username EC2 user for Amazon Linux 2, that's just the default, but most likely people are going to change that, but not necessarily, so it's still worth a try. And then I'm going to give the IP address of our target system. So now we have the identity file, we have the user at, and then we have the IP address, and then I have to give the location that I want to save that kernel object to, and I'm just going to save it to tilde slash, and that will be the user's directory for the EC2 user, it'll just be right in that root user's directory. Okay, so if I hit enter, we had a transfer, if this was your first time running it, you'll get asked to accept the SSH key for that system. I've already connected to it before. So I'm not being asked for that key. So we just had a transfer, and everything looks okay. All right. So the next thing I want to do is basically exactly the same thing. So I just hit the up arrow. And instead of lime.co, I'm going to transfer user bin in C, I'm transferring netcat over to the suspect system, we had a successful transfer, everything looks good. Now we should be able to go into the target system again, type ls, and then we have lime.co and netcat that was just transfer. These are all we need to be able to do the acquisition. Okay, so next I'm going to start listening for connections on my forensic workstation. So let me change out of the lime directory. Now I'm back in the default user directory. And to listen, I'm going to type NC-L, so netcat, listen. And then the port that I want to listen on 4444. And I'm going to pipe all of that out to a file. And the file name will be MEM 127.lime.gz. Okay, now the reason I called it that file name is because this is a memory image for the 127 server, the target server that I'm looking at.lime, lime is the image format that I'm going to be receiving. I'm not using a raw image format, I'm using a lime image format. And then .gz because I'm expecting a compressed file. Okay, so we press enter. And then now we're listening on port 4444 for any incoming connections, any data that we receive, we will pipe out to this file name. So back on the target system, we have our lime kernel object. So we need to load that kernel object. So I need to type sudo insmod insert module, the lime.co kernel object. And then I have to give it some properties. And there's two required property properties, the path and the format, but we're going to use some other settings as well. So I'm going to type path equals. And I want it over the network. So it's going to be TCP, which basically means a network connection. And we're going to specify the port 4444. Next is going to be the format. And I'm going to use the lime format. Not all forensic tools support the lime format. So you might need to choose raw format. But yeah, just think about how you're going to analyze the file later. Next, I'm going to specify a digest hash value of SHA 256. And that means that lime will create a hash value as its imaging memory. And then it will send us that hash value as well. And I'm also going to specify compress equals one, which means compression turn on compression. Whenever I hit enter, this will run, but lime will be waiting for an incoming connection before it will send any data. So I would have to connect to the target system. Problem is the target system has a firewall up and I can't have incoming connection. So I have to do outgoing connections. So I'm going to end this command with an ampersand. And that will tell Linux to send this command to the background. So it won't block me from doing other things while it's waiting. It'll just sit there and wait for a connection to come in, send all the data, and then exit. Then we can see the process ID show up. And that means that it is running in the background. And lime will just sit there. And like I said, wait for a connection to come in and read the data. Since lime is waiting for an incoming connection, but I can't connect in from my forensic server, we're going to have to use netcat to do a little trick, okay? So we have netcat in the same directory, this NC file. So I'm going to type dot slash NC, that means we're on netcat. And I'm going to connect in to the local host on port 4444. Well, what is currently listening or waiting for a connection on 4444? Lime is. Once I'm connecting with netcat, even on the local system, then lime will send me that memory image through that port. Then we can use netcat, pipe the results to another instance of netcat, except instead of being local host, we will use the server forensic servers IP address. And the forensic server is currently waiting for an incoming connection. It's waiting on port 4444. So I'm going to specify 4444 again. So we will connect to the local host, get the data, and then send it to this external IP address on the same port. So I hit enter. Now we're connecting in. Once our netcat process exits on our forensic server, that means that the dump is complete. Notice that the process on the target system has not exited. So we need to actually exit it manually by typing control C. Okay. So the next thing we have to do, if we do LS-LHA, we can see how big our memory image was, and we got 247 meg, I'm going to clear that and basically run the same command again, except instead of it being the lime, we're now going to get our hash file. So we still have the pipe open lime is still running in the background waiting to send the hash value. So let's call this mem 127 SHA 256, press enter. Now we have another netcat session waiting, and we'll dump everything into the SHA 256 file. Then we can just run exactly the same command again, local host 4444, netcat 3.5. So now I'm just getting all the data from netcat, sending it to our forensic server again. And this one should be very quick. Okay, our process already exited. So now we can control C on the target again. We see that the, this first process says done, sudo insmod lime KO actually finished. All right. So the next thing we have to do is do sudo rm mod lime.co. And that will remove the lime kernel object from the system. All right. So now we just have our two files that are in the directory. So I can go ahead and do sudo rm dash r star. And then it will remove those two files. Now star would delete everything in that directory. So be careful about that. If there are other things in there, and most likely there would be, just delete them specifically. And then the final thing to do on the suspect system is type set dash o history. And that will turn the bash history back on. If we exit, it'll probably reset anyway. But I just like to do it just in case. All right. Then we can exit. And now we are out of the suspect target system. And we only typed only a few or the minimum amount of commands that we needed to. And hopefully didn't leave too many traces. All right. So going back to our forensic server, if we type LS, we have our mem 127 lime.gz and our mem 127 shot 256. So let's go ahead and do cat mem 127 shot 256 and see what we get. Basically a file ending with 83 da 702. Okay, so that's the shot 256 hash value that lime captured. Then next, let's go ahead and do shot 256 sum mem 127 lime gz. And we get 95662 a zero. Well, that's not the same hash value, but that's also what we expect because this is a compressed version of the memory image. So let's go ahead and save that hash value into mem 127 gz shot 256. Okay, that way we actually have a reference for the zipped compressed file that we got. Now the next thing we want to do is decompress this gzip file. And for whatever reason, the lime Arthur author uses the tool on pigs. It's in the pigs package. So I'm just going to do unpigs mem 127 lime.gz. And then it will decompress and put the decompress file in the same directory. Then we can do shot 256 sum again on mem 127.lime. And then we get the shot 256 value 83 da 702 83 da 702 636 f 636 f. So this looks like the same shot 256 hash value for the original lime file as well as our new copy that we have. At the end, we have the original image, we have the shot 256 and we have the image hash value for our g zipped file as well. So that's pretty much it for memory imaging on a remote system and then sending it over a network back to a server that you control. We specifically did this on AWS EC2 instance running Amazon Linux 2 and used lime compiled on the server that we control sent back over to the target system. So I hope that was useful. Thank you very much.