 Welcome back everyone. Today, we're going to be talking about memory acquisition in Linux, and I'm currently on a Linux system here for memory acquisition in Linux. We are going to use the lime memory acquisition tool. You can get lime source code from GitHub and 504 basically forensics lab lime. And whenever we download this source code, it tells us basically how to compile how to use it. Lime also works on Android devices. You can use it for mobile mobile memory acquisition. But today we are going to use it for acquiring memory on a normal Linux computer. Okay, so I will post a link to this this GitHub repository. Basically, what we have to do is whenever you go to the GitHub repository, if you know how to use Git, then you can clone the GitHub repository, or you can just click on this clone or download. And if you know how to clone, then you can just copy this copy this address. If not, you can just download the zip file and extract it onto one of your Linux systems for testing. Okay, so I have already cloned lime into my opt directory. So I have this lime directory and inside lime, the lime directory, we just have doc license read me and SRC and what we want is this SRC folder. Now, I'm currently on my forensic workstation. But whenever we're running lime, we would be running it on a suspect system, right? It's not very useful to collect our own memory, we want to collect the memory from the suspect system, which means that we would have to compile lime for the suspect systems architecture. Now a lot of systems are going to be running. If it's going to if it's a desktop computer, one of the most common types of desktop computers are like a bun two, maybe 64 bit now. But there are a lot of different types of Linux and Unix systems that you could compile this for. So basically, you have to know the architecture of the suspect system that you are going to be acquiring memory from that way you can pre compile lime for it. If you don't know the architecture, then that means that you would have to compile lime on the suspect system before you acquire memory and that could first off take a very long time if you're trying to acquire compile on a very slow system. But that's also going to change a lot of things in the suspect systems memory whenever you are compiling this program. So if you can, if you know the architecture, then you should cross compile on your Linux system make a binary that works on the suspect system. If you don't know the architecture, then you might have to compile on the suspect system, but that is much more destructive for potential evidence than it would be otherwise. Okay, so I've already downloaded the lime source code. So I'm going to go into the SRC folder so CD SRC. And then this puts me this basically gives me all the source code for this. And I already have a kernel module in there so I'm going to go ahead and remove the pre compiled module that I had there. Okay, so you should have something that looks similar to this. Okay, basically we have this make file and this says how to how to compile this source code, which is lime H main C. Yeah, all of these things. Okay, so it's a relatively small program, which is good because we want a small program whenever we're collecting memory. So to build to build this module, I can just type make. And then I can just type make basically whenever I'm in this source folder. And this will automatically detect the architecture that I am currently on. And it will build and because I have these headers downloaded, it will build a kernel module for the architecture that I am on. So here we have move. The final final command was move lime dot KO lime 44021 generic. And this is specific to the kernel. This is the kernel version that I'm currently running. And dot KO is a kernel object. So basically we've compiled lime for a specific kernel. As a loadable loadable kernel object. Okay, so if we look again, now I have basically these, these files related to building. But the one that I'm really interested in is this lime 44021 generic dot KO. And this is specifically built for the kernel on this forensic workstation. It probably wouldn't work on another system that was using a different kernel, depending on how depending on what version of the kernel you're using, but most likely it wouldn't work on another system, especially if the kernel versions were very different. Okay, so imagine that I've imagined that this is my suspect workstation actually so we want to collect memory from this system. Now I need to load lime into memory. I need to load this kernel object and let it basically download the memory from this system. Okay, so now I have basically pseudo, which gives me a super user privileges or administrative privileges to this, this command this computer, and then I n s mod and this basically inserts a module or a kernel object insert a kernel object. And then we give it the kernel object that we want to load. And then we give it the path where we want to save our memory image at and the format we want to save the image as. Okay, so that's basically the most basic command that you need to run lime. So then we hit enter. And now it is copying. Okay, so let's see if we can see this. I'm going to open another command prompt here, dumber terminal. So if I go into seed drive opt, and I just saved it into the lime folder, we can see that Linux 64 dot mem is being created. And right now, it's copying pretty quickly. So right now I have up to 9.9 gig and it's still copying the 16 gigabytes of memory in this computer. So this is also something to consider that memory sizes are not very small anymore. So you need enough space to be able to store these memory images. Okay, so now the memory image is 16 gigabytes. And, and it finished. Okay, so once we've copied once we've collected all of the memory from the system, I'm going to go up. And now you can see Linux 64 dot mem. So this is my memory image. While, or before we actually start copying memory, we can't take a hash value. It's not like doing acquisition in a forensic workstation. We can't take a hash value before, because the memory is constantly changing, right? So for a, for a disk image, if we're making a disk image, we usually want to make a hash value before we begin to ensure that we know what the state of that disk is before we start and then we make a copy and then we can compare the copy afterwards. If the hash values match, then we know that the images are, we know that the images exactly as the data was before with RAM, that doesn't work because memory is constantly changing, right? So if I make a hash value before, and then I take an image of Ram, and then I have a hash value afterwards, they will be different because we changed Ram. And as the system was running, a lot of other things changed. So the first time that we have the ability to actually make a hash value that has any significance is as soon as this command is finished, as soon as we get this Linux 64 mem file, then I need to make a hash value, Linux 64 mem. I need to make a hash value of this memory image, because this memory image now that it is saved, now this data is saved into a file, it should never change again. And that's actually very important for our investigations. This is the hash value that will make it to court. And any, any other investigators that are kind of checking our work will use this hash value to make sure that our work is valid. So once this finishes, yeah, okay. So now this hash value will go in my documentation, I would also usually pipe this out into some sort of log file. So that way we have a record of what the original hash value was. And this hash value should never change again, right? So no matter where this memory image goes, this hash value will always be the same. Now we can also do a couple other things, for example, code signing using signatures. And the benefits to signatures is that we would have a date. I'm not going to go into how we do that in this video, but possibly in a future video. So that is it for acquiring memory memory, a memory image in Linux using lime. Basically, we load this kernel object. First, we have to compile it for the architecture that we're going to be copying data out of, then we load this kernel object into into the system, and give it a path where we want to save the memory image and the format that we want to save the memory image as. And then once we get this memory image out, and we saw that it was 16 gigabytes, so it looks like it's complete, then we have to make a hash value and document this hash value, we have to preserve this hash value completely. Now, the next thing I would do is make a copy of this memory image and then archive one of the copies off onto maybe a DVD or something like that. And then the other would be my working copy. So that's it for memory acquisition in Linux. Thank you very much.