Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Week 7 - Part 1 : Live RAM Acquisition

Lab Objective

This lab introduces the process of capturing volatile memory on both Windows and Linux systems. By the end of the exercise, you should be able to:

  • Acquire a RAM image on Windows using FTK Imager.
  • Acquire a RAM image on Linux using the fmem kernel module and dd.

Task 1 - Acquire RAM from a Windows Machine

Several tools can capture memory on Windows. In this lab you will use FTK Imager, a commonly used forensic utility.

Using FTK Imager

  1. Launch FTK Imager on the Windows machine.
  2. Select File - Capture Memory.
  3. In the Memory Capture window, choose a destination folder for the output file.
  4. Optional: Tick Include pagefile if you want to capture the paging file.
  5. Click Capture Memory to begin.
  6. When the acquisition completes, a confirmation message will appear. The RAM image will be saved in the directory you selected.

Task 2 - Acquire RAM from a Linux Machine (Local)

Modern Linux kernels restrict direct access to physical memory. Tools such as fmem or LiME provide controlled access for forensic acquisition. In this part, you will load the fmem (https://github.com/NateBrune/fmem) kernel module and capture RAM using dd.

Using the fmem Tool

  1. Start Linux - Ububtu virtual machine.

    • Use any Ububtu machine that you have. You can either:
    • Find it in your CyberLab folder, or
    • Download one from here.

  2. Afte deployment, use this usename(ubuntu) and password(ubuntu) to login to the VM:

  3. Open a terminal.

  4. Switch to the root user:

    sudo su

  5. Install Git if needed:

    apt install -y git

  6. Clone the fmem repository:

    git clone https://github.com/NateBrune/fmem.git

  7. Move into the cloned folder:

    cd fmem

  8. Install required build tools:

    apt install -y build-essential

  9. Compile the kernel module:

    make

  10. Load and install the module:

    bash run.sh

    If successful, /dev/fmem will be created.

  11. Acquire the RAM image using dd: bash dd if=/dev/fmem of=/home/<username>/ubuntu_ram.dd bs=1M Replace <username> with your actual Linux username.

  12. The RAM image (ubuntu_ram.dd) will be saved in your home directory.

Optional Task 3 (Challenge) – Remote RAM Acquisition (Linux)

You are responding to a live incident.

You have:

  • A Target Linux VM (suspected compromised)
  • A Forensic Workstation VM
  • Network connectivity between them

Objective

Remotely acquire a full RAM image from the target Linux machine and transfer it to your forensic workstation using command-line tools only.

Constraints

  • No GUI tools
  • No shared folders
  • No powering off the system
  • Preserve evidential integrity

Hints

  • Consider the use of nc (netcat)
  • One system must listen
  • One system must send
  • Research Linux memory acquisition tools (e.g. LiME)
  • Think about /dev/mem, /proc/kcore, or kernel modules
  • How will you verify integrity after transfer?

Deliverables

  1. Memory image stored on the forensic workstation
  2. SHA256 hash of the acquired image

Copyright © 2026 • Created by Ali Jaddoa

Page last updated: Monday 02 March 2026 @ 15:06:28 | Commit: ded627f