LiMEaide is a python application designed to remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host. I hope that this will simplify Linux digital forensics in a remote environment. In order to use LiMEaide all you need to do is feed a remote Linux client IP address, sit back, and consume your favorite caffeinated beverage.
and magic happens.
python3 limeaide.py <IP>
For more detailed usage checkout the wiki For editing the configuration file see here
limeaide.py [OPTIONS] REMOTE_IP -h, --help Shows the help dialog -u, --user : <user> Execute memory grab as sudo user. This is useful when root privileges are not granted. -p, --profile : <distro> <kernel version> <arch> Skip the profiler by providing the distribution, kernel version, and architecture of the remote client. -N, --no-profiler Do NOT run profiler and force the creation of a new module/profile for the client. -C, --dont-compress Do not compress memory file. By default memory is compressed on host. If you experience issues, toggle this flag. In my tests I see a ~60% reduction in file size --delay-pickup Execute a job to create a RAM dump on target system that you will retrieve later. The stored job is located in the scheduled_jobs/ dir that ends in .dat -P, --pickup <path to job file .dat> Pick up a job you previously ran with the --delayed-pickup switch. The file that follows this switch is located in the scheduled_jobs/ directory and ends in .dat -o, --output : <name> Change name of output file. Default is dump.bin -c, --case : <case num> Append case number to front of output directory. --force-clean If previous attempt failed then clean up client
sudo apt-get install python3-paramiko python3-termcolor
sudo yum install python3-paramiko python3-termcolor
sudo pip3 install paramiko termcolor
In order to use LiME you must download and move the source into the LiMEaide/tools directory. Make sure the the LiME folder is named LiME. The full path should be as follows: NOTE: If you would like to build Volatility profiles, you must use my forked version of LiME. This provides debugging symbols used by dwarfdump.
- Download LiME v126.96.36.199
- Extract into
- Rename folder to
In order to build a volatility profile we need to be able to read the debugging symbols in the LKM. For this we need to install dwarfdump. If you encounter any issues finding/installing dwarfdump see the volatility page here
- DEB package manager
sudo apt-get install dwarfdump
- RPM package manager
sudo yum install libdwarf-tools
Special Thanks and Notes
- The idea for this application was built upon the concept dreamed up by and the Linux Memory Grabber project
- And of course none of this could be possible without the amazing LiME project
Limits at this time
- Support on for bash. Use other shells at your own risk
- Modules must be built on remote client. Therefore remote client must have proper headers installed.
Дата: 2017-09-12 21:00:26