# Memory Acquisition with LIME

### Memory Acquisition

Aka Memory Dump is process of dumping RAM from specific systems to disk for purpose of analysis

***

### LIME

* It is a Loadable Kernel Module (LKM) used for acquisition of volatile memory from **Linux** and linux based devices like **Android**
* It supports exporting memory dump either to file system of device or over the network
* Since it is a LKM, it needs to be compiled on the system which has same kernel version with of the infected system on which you want to dump memory and then it can be transfered to the infected machine

***

### Prerequisites to install

1. gcc
2. cmake
3. build-essential

***

### Steps to install

Goto `src` directory and `make`

***

### Steps to Run

`insmod ./lime-<kernel-version>.ko "path=/root/dump.mem format=raw"`

* Path is where to store the dump
* format raw means that this will be compatible with other forensic tools with Memory Forensice with Volatility
* **Size of the dump will be will same as RAM i.e 8GB Ram = 8GB Dump**

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.nomanaziz.me/cybersecurity/blue-teaming/digital-forensics-and-incidence-response/memory-acquisition-with-lime.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.