From RAM to Evidence (Part 2): Capturing Volatile Memory on Linux

"Windows memory acquisition is straightforward if you have FTK Imager or DumpIt. But in Linux, the landscape looks different—more tools, more flexibility, and sometimes, more complexity."

Welcome back to the Memory Forensics series. In Part 1, we walked through memory acquisition on Windows—how to prepare, what tools to use, and how to ensure integrity.

Now, we’re turning to Linux. While the core principles are the same—capture volatile memory quickly, preserve integrity, and ensure compatibility—the methods can be trickier. Linux offers multiple built-in and purpose-built forensic tools.

The challenge is knowing which tool to use, when, and how to avoid pitfalls like kernel mismatches or unstable modules.

Before diving into tools, remember that planning matters just as much as execution:

• Does the tool support your kernel version?

• Do you have the right privileges (root/sudo)?

• Could the acquisition method risk system instability?

• Will the output format be compatible with your analysis framework (e.g., Volatility/Volatility3)?

Skipping these questions can lead to incomplete or even unusable evidence.

In this part, we’ll cover:

• Full memory capture with LiME and AVML

• Process memory dumps with gcore

• Built-in alternatives like /proc/kcore and /dev/mem

• Best practices to ensure clean, defensible evidence

Prerequisites

Before we begin, make sure you have:

• Ubuntu VM (or Native Linux) → This guide uses Ubuntu VM, but the steps work on most distributions.

• Root/Sudo Access → Memory acquisition requires low-level system access.

• Forensic Tools Installed / Ready to Download →

  • LiME (Linux Memory Extractor)

  • AVML (Acquire Volatile Memory for Linux)

  • gcore (built-in process dump tool)

  • Optional: access to /proc/kcore or /dev/mem for experimentation

Note: If using WSL, you won’t get full RAM access—it’s mainly for practicing commands, not real memory capture.

Full Memory Capture with LiME

LiME (Linux Memory Extractor) is the most widely used tool for full memory capture on Linux. It’s a kernel module that dumps RAM into a forensic-friendly format, supported by frameworks like Volatility.

Download link: LiME Github Repository

Step 1: Install Dependencies

Before compiling LiME, ensure that the necessary build tools and kernel headers are installed. These packages ensure the module compiles correctly for your system.

sudo apt install build-essential linux-headers-headers-$(uname -r)

• build-essential provides the compilers and libraries needed to compile kernel modules.

• linux-headers-$(uname -r) ensures the module compiles against your current running kernel version.

Step 2: Clone and Build LiME

LiME isn’t a precompiled binary—build it from source so that the kernel object (lime.ko) matches your exact Linux kernel version. A mismatch here will break the module.

git clone https://github.com/504ensicsLabs/LiME.git

Step 3: Build and Prepare the LiME Kernel Module

After cloning the LiME repository, the next step is to compile the kernel module. This creates a file lime.ko

Navigate into the src/ directory and run: make

uname -r

Step 4: Load the Module and Capture Memory

Now that the LiME kernel module is compiled, the next step is to insert it into the kernel using the insmod command. While doing so, you must specify two important parameters:

• Path → Defines where the captured memory image will be saved.

• Format → Specifies the output format. For forensic workflows, use raw or lime to ensure compatibility with tools like Volatility.

  
  

Example command:

insmod lime-6.14.0-15-generic.ko "path=/home/ubuntu/ubuntu-26sept2025.mem format=raw"

After execution, list the directory to confirm that the dump file was successfully created.

Step 5: Verify Integrity with Hashing

After acquisition, generate a hash (MD5 or SHA256) of the dump. This step ensures integrity and establishes a verifiable chain of custody.

Command:

md5sum /home/ubuntu/Desktop/ubuntu-26sept2025.mem
sha256sum /home/ubuntu/Desktop/ubuntu-26sept2025.mem

Step 6: Unload the Module

Remove the module with rmmod once the capture is complete. Leaving it loaded can interfere with future captures or system stability.

Command:

sudo rmmod lime

Why LiME?

• Produces clean, forensics-ready memory dumps

• Widely used and accepted in investigations

• Compatible with tools like Volatility

• Requires kernel headers and loads a kernel module (must be documented)

Full Memory Capture with AVML

AVML (Acquire Volatile Memory for Linux) is a modern tool developed by Microsoft. Unlike LiME, it doesn’t require compiling kernel modules or installing headers. This makes it lightweight, portable, and quick to deploy. AVML produces dumps in .lime format, ensuring compatibility with frameworks like Volatility.

Download Link: AVML GitHub

Step 1: Download and Prepare AVML

Obtain the AVML binary from Microsoft’s official GitHub repository. Once downloaded, make it executable so it can run directly from the terminal.

Command:

wget https://github.com/microsoft/avml/releases/download/v0.14.0/avml -O avml
chmod +x avml

Step 2: Run AVML to Capture Memory

Execute AVML and specify the output file for the memory dump. By default, AVML saves in .lime format.

Step 3: Verify the Dump with Hashing

After the dump is complete, generate a SHA256 hash to confirm integrity. This step is critical for the chain of custody and ensures the captured data hasn’t been modified.

Note: Although AVML allows you to choose any filename/extension (e.g., .mem), the actual dump is always generated in the LiME format. Using .lime is recommended for consistency.

Why AVML?

• No need for kernel headers or compilation

• Lightweight and portable (single binary)

• Produces forensic-friendly .lime dumps

• Perfect for quick acquisition scenarios

Downside: AVML doesn’t provide the same flexibility as LiME (e.g., fewer options for customizing output).

Process Memory Dump with gcore

When we don’t need the entire RAM, capturing just a single suspicious process can save time and reduce noise. For example, while investigating a compromised shell or malware binary, it’s more efficient to grab only that process’s memory.

Linux provides gcore, a utility included with the GNU Debugger (gdb), to create process-specific memory dumps.

Step 1: Identify the Process ID (PID)

Start by listing active processes to locate the PID of your target process (e.g., bash).

Command:

ps aux |grep bash

Step 2: Run gcore on the Target Process

With the PID identified, run gcore to capture the process memory.

Command:

sudo gcore -o /tmp/Bash-dump <PID>

• -o → sets the output file name/prefix

• 25484 → the PID of the target process

  
  

This will generate a core dump file in ELF format, named after the process and its PID.

Step 3: Verify the Dump

Check that the dump file has been created:

Command:

ls -lh /tmp/Bash-dump.25484

Note: For forensic cases, you may prefer external storage (USB, mounted disk) to avoid overwriting or losing dumps if /tmp is cleared on reboot.

"gcore is excellent when you know what process to target, but not a substitute for full memory acquisition in broader investigations."

Built-in Alternatives for Memory Acquisition

In addition to tools like LiME, AVML, and gcore, Linux also offers some native mechanisms for accessing memory. While these aren’t always clean or reliable for forensic purposes, they can serve as fallback methods or for lab testing.

/proc/kcore (Kernel Pseudo-File)

Exposes the system’s virtual memory as a pseudo-file. It looks like an ELF file and can be opened for analysis.

Command:

Sudo dd if=/proc/kcore of=/root/memdump.kcore bs=1M status=progress

Note: Not a clean physical dump, can be massive, parsing/analysis is harder.

/dev/mem (Raw Physical Memory Device)

A legacy method to access system RAM directly.

Command:

sudo dd if=/dev/mem of=/root/memdump.raw bs=1M status=progress

Note: On modern kernels, it’s usually restricted or disabled for security; unreliable for forensic use.

Bottom line: These built-ins are not recommended for serious investigations, but they may be useful in:

• Lab testing

• Quick experiments

• Emergency fallback when no other tools are available

Quick comparison:

Practical Notes (Linux)

Just like Windows, real-world memory acquisition on Linux comes with challenges. Keep these points in mind:

• System Compatibility → Not all tools work with every kernel. Always test in a safe lab first.

• Contamination Risk → Tools like LiME insert a kernel module. Document this clearly.

• Storage Concerns → Dumps can be tens of GBs; save directly to external media.

• Time Sensitivity → Memory fades fast; malware/ransomware often cleans itself. Capture quickly.

• Chain of Custody → Always generate SHA256 hashes and log who, what, when, and how.

  
  

"Memory acquisition on Linux is not just about running commands. It’s about choosing the right tool, minimizing system impact, and preserving integrity."

“HAPPY LEARNING! And I’ll see you in Part 3.”