How to read RAM
In this article, we will see what is RAM and how to read data from RAM in Linux Operating System.
What is RAM? and What does RAM do?
RAM — Random Access Memory.
As we go by the name, it is surprising that RAM is Random Access Memory but everything we do and work on will be passed through the RAM and stored there.
RAM is the fastest and most temporary data storage space that a computer needs to access now or in the next few seconds. It helps us in loading apps, browsing, accessing, or editing documents. Without RAM, none of your programs would run on the system or OS.
The speed and performance of your system directly correlate to the amount of RAM you have in your system. If you have insufficient RAM, your system deliberates and you cannot multitask.
What type of data is stored inside RAM?
- Username and Passwords
- Recently opened files
- Currently running processes or threads
- The security information of your system
- Encrypted/Unencrypted Information
- Network Information etc.…
From the above examples, it is clear that the RAM contains every single piece of information the user needs. The user interacts with the OS and the kernel, which is the main part of the OS that takes instructions from the users with the help of a program and sends them to the hardware where the data is stored or retrieved.
Here comes the crucial issue,
How to read RAM data?
Let us discuss one of the most common methods to extract data from RAM using Linux Based Operating System.
In this method, we will dump the whole RAM data on a disk and will read RAM from the final kernel object module obtained.
In the Linux Based OS, we will use LiME (Linux Memory Extractor) as it is a tool that allows us to capture volatile memory from a running Linux device. It is the first tool of its type that also supports memory capture from Android devices.
We can download the source of Lime and compile it to binary files with the “make” command.
Firstly, we need to install kernel headers
Next, you should have git installed in your system to clone the repository
Now, we have to clone LiMe repository
Now we have to navigate to the SRC directory to compile the source code.
Now, we will use the “make” command to compile the source code as it compiles different pieces and gives us the final executable code.
As I am getting the error, I need to install the following modules
Now, run the “make” command again.
Before getting any data from RAM, let us generate some data in RAM and verify through it.
In the above image, we have generated some data using python3.
Now, let us verify if we are able to retrieve the data using the kernel object module.
To verify, we need to insert the module first. The command is “insmod”.
In the above step, we have imported the LiME module using the “insmod” command and obtained the “.mem” file which contains the whole RAM data.
Now, let us check with the generated data or some random data if it is present in RAM or not.
In the above image (Img-18), I searched for a random string that I have never used anywhere. Thus, it is not present in RAM data and there is no retrieval of data for that particular string.
Hence, we have verified that the data is stored in the RAM and can extract at any time we want using different kinds of tools in different Operating Systems. We can use the FTK Imager module to extract data from Windows Operating System and we can get details about many more entities like CPU, Running threads, Loopholes in security, Encrypted files, etc.
