LiMEaide is a python application designed to remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host. I hope that this will simplify Linux digital forensics in a remote environment. In order to use LiMEaide all you need to do is feed a remote Linux client IP address, sit back, and consume your favorite caffeinated beverage.
python3 limeaide.py <IP>
and magic happens.
For more detailed usage checkout the wiki For editing the configuration file see here
limeaide.py [OPTIONS] REMOTE_IP
Shows the help dialog
-u, --user : <user>
Execute memory grab as sudo user. This is useful when root privileges are not granted.
-p, --profile : <distro> <kernel version> <arch>
Skip the profiler by providing the distribution, kernel version, and architecture of the remote client.
Do NOT run profiler and force the creation of a new module/profile for the client.
Do not compress memory file. By default memory is compressed on host. If you experience issues, toggle this flag. In my tests I see a ~60% reduction in file size
Execute a job to create a RAM dump on target system that you will retrieve later. The stored job
is located in the scheduled_jobs/ dir that ends in .dat
-P, --pickup <path to job file .dat>
Pick up a job you previously ran with the --delayed-pickup switch.
The file that follows this switch is located in the scheduled_jobs/ directory
and ends in .dat
-o, --output : <name>
Change name of output file. Default is dump.bin
-c, --case : <case num>
Append case number to front of output directory.
If previous attempt failed then clean up client
In order to use LiME you must download and move the source into the LiMEaide/tools directory. Make sure the the LiME folder is named LiME. The full path should be as follows: NOTE: If you would like to build Volatility profiles, you must use my forked version of LiME. This provides debugging symbols used by dwarfdump.
In order to build a volatility profile we need to be able to read the debugging symbols in the LKM. For this we need to install dwarfdump. If you encounter any issues finding/installing dwarfdump see the volatility page here
DEB package manager
sudo apt-get install dwarfdump
RPM package manager
sudo yum install libdwarf-tools
Special Thanks and Notes
The idea for this application was built upon the concept dreamed up by and the Linux Memory Grabber project
And of course none of this could be possible without the amazing LiME project
Limits at this time
Support on for bash. Use other shells at your own risk
Modules must be built on remote client. Therefore remote client must have proper headers installed.