LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
GNU General Public License v2.0
1.7k
stars
338
forks
source link
2 requests: make the module name a random string and default arguments #66
1) I think that the name of the module should be created on random basis.
2) there should be some default argument so that I can "insmod" the module without any arguments.
For example:
# insmod ./r4nd0m.ko
with default argument "path=./random_string format=lime" and output should be a random string name for the dump file.
some kernel rootkit could detect the module insertion based on its name and take anti-forensics actions, like for example clean memory and unload the rootkit
1) I think that the name of the module should be created on random basis. 2) there should be some default argument so that I can "insmod" the module without any arguments. For example:
# insmod ./r4nd0m.ko
with default argument "path=./random_string format=lime" and output should be a random string name for the dump file.