Adam Outler · Aug 11, 2012 at 07:30 am

LiME Forensics Kernel Module for Raw Memory Snapshots

Raw access to memory is useful while performing data forensics or while hacking devices.  Sometimes you need a snapshot of memory to be able to analyze what is going on with locked bootloaders, get a snapshot of a memory location to track down a bug, or just to figure out the proper memory location of your Angry Birds score. This is where Linux Memory Extractor, a.k.a. LiME Forensics, comes in. LiME is a loadable kernel module that allows you to access to the full range of device memory. As soon as the kernel module is loaded into memory, it basically takes a snapshot, allowing for very efficient debugging.

I asked Joe Sylve, the author of LiME Forensics to explain the benefeits of LiME over traditional tools like viewmem:

To answer your questions, the tools were designed with different uses in purpose.  LiME is designed to acquire a full dump of the physical memory layout of RAM for forensic analysis or security research.  It does it all in kernel space and can dump an image either to the local file system or over TCP.  It’s designed to give you as close of a copy of physical memory as possible, while minimizing it’s interaction with the system.
It appears viewmem is a userland program which reads a range of virtual memory addresses from a memory device, such as /dev/mem or /dev/kmem and prints the contents to stdout.  I’m not sure that it does more than simply using dd on one those devices would.
This is less acceptable in forensics for several reasons.  First of all, /dev/mem and /dev/kmem are being phased out and more and more devices aren’t shipping with those devices.  Secondly, /dev/mem and /dev/kmem limit you to reading from the first 896MB of RAM.  Also, the tool is causing several context switches between userland and kernelland for every block of memory read and is overwriting RAM with it’s buffers.
I’d say each tool has their use.  If you just need to know the contents of an address that’s within the first 896MB of RAM and your device has /dev/mem and /dev/kmem and you don’t care about capturing a forensically sound image, then viewmem (or dd) would be useful.  However, LiME was not designed specifically for that use case.

The most important thing, for you memory hackers out there, is that viewmem relies on the /dev/mem and /dev/kmem devices.  Since the /dev/mem and /dev/kmem devices allow direct access to device memory, they are a vulnerability.  These Linux devices are being phased out, as they have been the targets of multiple exploits as of late.  LiME not only replaces the viewmem utility, it does it better.

Manufacturers take note: By locking down features that developers want, you promote the development of better tools.

Source: LiME Forensics & Inteview with Author Joe Sylve

[Image Credit: LiME Presentation by Joe Sylve]
_________
Want something on the XDA Portal? Send us a tip!
TAGS:

Adam Outler

AdamOutler is an editor on XDA-Developers, the largest community for Android users. Electronics Tech/ Developer View AdamOutler's posts and articles here.
Jimmy McGee · May 6, 2015 at 06:00 am · 5 comments

Vinsic 20,000mAh Ultra Slim Power Bank Giveaway

We have covered a lot of Android Accessories here on XDA TV. Mostly because we realize that there are not many phones out there designed specifically with us in mind. So we get powerful phones that don’t have the best speakers or batteries. To resolve this issue we can grab an accessory to fill the gap. In this episode of XDA TV, Producer Jordan reviews the Vinsic 20,000mAh Ultra Slim Power Bank. This device provides a great big helping of...

XDA NEWS
Mathew Brack · May 5, 2015 at 04:02 pm · 3 comments

T-Mobile Steps Up The War Against Verizon

T-Mobile has today launched a new attack on Verizon under the tagline of “Never Settle For Verizon” complete with eight new adverts and risk free trials for their customers. This is in retaliation to the new campaign from Verizon sharing the same name as One Plus's "Never Settle".     Following the latest “Never Settle” advert campaign from Verizon, T-mobile has surprisingly agreed, you shouldn't settle … For Verizon and to reinforce this point they have launched no less than eight...

XDA NEWS
Faiz Malkani · May 5, 2015 at 01:01 pm · 4 comments

Google #StepInsideAdWords Event Livestream

Ahead of the annual I/O conference scheduled to take place later this month, the Google AdWords team is set to unveil a host of new products aimed at better mobile experiences, improved event-tracking, scalability and more. Yesterday, a video highlighting the upcoming features was launched on the AdWords blog, and the event itself is scheduled to take place today at 9:30 AM PST / 12:30 PM EST. You can watch the live stream right here on this page, and while it doesn't require registration....

XDA NEWS
Share This