MEMORY ANALYSIS
- Open a new shell and type "sudo su" enter your password. :)
- 1. Navigate back to LiME download so we can perform a memory capture: "cd ./LiME/src"
- 2. Image memory with a "insmod ./lime-4.4.0-31-generic.ko "path=..././ram.lime format=lime"
- 3. After completion switch to the directory with our "ram.lime" by typing "cd ../../"
- 4. Execute volatility framework with the profile you created during the zip process. "vol.py -f ./ram.lime --profile=Linux_Ubuntu_16_04_01_LTS_4_4_0_31_genericx64 linux_pslist" This is showing you all running processes at the time of memory capture.
- 5. Execute volatility framework with "vol.py -f ./ram.lime --profile=LinuxLinux_Ubuntu_16_04_01_LTS_4_4_0_31_genericx64 linux_pstree" showing you the running tree...do you see your root shell?
- 5. Execute the following "vol.py -f ./ram.lime --profile=LinuxLinux_Ubuntu_16_04_01_LTS_4_4_0_31_genericx64 linux_bash". See anything familiar? Look at the times.
- 6. Execute "vol.py -f ./ram.lime --profile=LinuxLinux_Ubuntu_16_04_01_LTS_4_4_0_31_genericx64 -h" to see what other modules can be called. :)