LiME (Linux Memory Extractor)
Definition
A loadable kernel module that acquires physical memory from Linux, macOS, and Android systems. It maps the physical address space and either writes the image to a file or streams it over a TCP connection to a remote collection host. Requires root privileges and a module compiled for the target kernel version.
Related terms
- Order of volatility
- The sequence in which digital evidence should be collected, ranked from most to least transient. Defined in RFC 3227. CPU registers and...
- Physical memory image
- A byte-for-byte copy of all installed RAM on a running system, acquired at the hardware or kernel level. Contains all data structures,...
- Process injection
- A technique used by malware and attackers to execute code inside the address space of a legitimate running process. Common methods include...
- Reflective DLL loading
- A technique that loads a Windows DLL directly from memory without registering it with the OS loader. The DLL resolves its own...
- Volatility Framework
- An open-source memory forensics framework written in Python. It parses raw memory images using OS-specific symbol information to reconstruct kernel data structures...
Explained in
- Memory Acquisition and Analysis in Incident ResponseA loadable kernel module that acquires physical memory from Linux, macOS, and Android systems. It maps the physical address space and either writes the image t...