Acquiring RAM and disk images is one of the most important stages in any digital forensic investigation. Proper acquisition ensures that evidence is preserved exactly as it existed at the time of the incident, without modification or corruption. This allows investigators to analyze volatile data, recover deleted files, examine system state, and reconstruct attacker activity with full evidentiary integrity.
This chapter covers the fundamentals of acquiring RAM (volatile memory) and disk images (non-volatile storage) on Linux systems, tools used, acquisition procedures, and forensic best practices.
Why Acquisition Matters
Before analyzing a compromised system, investigators must capture:
1. RAM (Volatile Memory)
RAM contains:
-
Running processes
-
Active network connections
-
Encryption keys (LUKS, SSH, OpenVPN, ransomware keys)
-
In-memory malware (fileless attacks)
-
Shell commands
-
Cleartext credentials
-
Kernel structures
-
Loaded modules
Once a system is shut down or rebooted → RAM is lost forever.
2. Disk Image (Non-volatile Storage)
The disk contains:
-
File systems
-
Deleted files
-
Logs
-
Hidden partitions
-
Malware files
-
Browser and application data
-
Timestamps and metadata
Disk imaging preserves every sector bit-for-bit.
RAM Acquisition in Linux
Live memory acquisition must be performed BEFORE shutting down the system.
Tools for RAM Acquisition
1. LiME (Linux Memory Extractor)
Most widely used tool for Linux memory capture.
Features:
-
Captures full physical memory
-
Supports multiple output formats
-
Loads as a kernel module
-
Minimal footprint
LiME creates a raw memory dump or LiME format dump.
2. AVML (Azure Virtual Machine Live Memory Dump)
Good for cloud/VM environments.
3. fmem Kernel Module
Alternative to LiME but less commonly used now.
4. dd (if mem device available)
Old method, rarely works on modern kernels:
dd if=/dev/mem of=/mnt/evidence/memdump.raw
Most Linux systems block /dev/mem access for security reasons.
Acquiring RAM Using LiME
LiME can output to:
-
Raw (
.raw) -
Lime format (
.lime)
Step 1: Load LiME kernel module
insmod lime.ko "path=/mnt/evidence/memdump.lime format=lime"
Step 2: Verify module loaded
lsmod | grep lime
Step 3: Securely store and hash the dump
sha256sum memdump.lime > memdump.lime.sha256
This ensures file integrity for legal admissibility.
RAM Acquisition Best Practices
-
Always collect memory before touching the disk.
-
Save dumps to external storage (USB, mounted NFS, etc.).
-
Use write-blockers for destination media if possible.
-
Hash memory dumps immediately after acquisition.
-
Document exact time, tool version, and method.
-
Avoid running unnecessary commands to prevent memory alteration.
Disk Imaging in Linux
Disk imaging is the second primary acquisition step.
A disk image must be bit-for-bit, including:
-
Boot sector
-
File system metadata
-
Unallocated space
-
Deleted data
-
Hidden partitions
-
Slack space
-
LVM snapshots
Tools such as dd, dcfldd, and Guymager are commonly used.
Tools for Disk Imaging
1. dd
The standard Unix tool for bit-stream copying.
Example:
dd if=/dev/sda of=/mnt/evidence/disk.img bs=4M conv=noerror,sync
-
noerror→ skip errors, continue -
sync→ pad errors to maintain alignment
2. dcfldd
Enhanced dd designed for forensics.
Features:
-
Built-in hashing
-
Logs
-
Progress display
Example:
dcfldd if=/dev/sda hash=sha256 hashlog=hash.txt of=disk.img
3. Guymager (GUI tool)
Fast, user-friendly imaging software.
Supports:
-
E01 format
-
RAW format
-
Compression
-
Hashing
4. FTK Imager (Linux CLI version)
Used for both RAM and disk imaging.
Preparing for Disk Imaging
1. Use a hardware write-blocker
Essential for preventing accidental modification of evidence.
2. Validate target disk/device
Identify disk:
lsblk
fdisk -l
3. Ensure enough storage for output
Disk images are often large.
4. Create a mount point for evidence
Example:
mkdir /mnt/evidence
mount /dev/sdb1 /mnt/evidence
Disk Imaging Procedure Using dd
dd if=/dev/sda of=/mnt/evidence/linux-disk.img bs=4M conv=noerror,sync status=progress
Verify the image:
sha256sum linux-disk.img > linux-disk.img.sha256
Capture partition table:
sfdisk -d /dev/sda > partition-table.txt
This helps in later reconstruction.
Imaging LVM Partitions
Many Linux systems use LVM.
Identify logical volumes:
lvdisplay
Image each LV:
dd if=/dev/mapper/ubuntu--vg-root of=root.img bs=4M conv=noerror,sync
Imaging Encrypted Disks (LUKS)
If the disk uses LUKS encryption:
Step 1: Check encryption
cryptsetup luksDump /dev/sda3
Step 2: If unlocked, image the decrypted mapper device:
dd if=/dev/mapper/luks-123abc of=decrypted.img
Otherwise → capture encrypted raw device and attempt key recovery separately.
Evidence Integrity: Hashing
Always hash your acquisitions using:
-
SHA-256
-
SHA-512
-
MD5 (still used for quick integrity checks)
Example:
sha512sum memdump.lime > memdump.sha512
sha256sum disk.img > disk.sha256
Documentation Requirements
Every acquisition must include:
-
Date & time
-
Investigator name
-
System details
-
Tool name & version
-
Hash values
-
Imaging command used
-
Storage location of images
Failure to document → evidence may be rejected in court.
Common Mistakes to Avoid
-
Shutting down the system before capturing RAM
-
Acquiring to a local internal drive (risk overwriting evidence)
-
Forgetting to hash images
-
Imaging the wrong device
-
Not using a write-blocker
-
Mounting suspect disks read-write
-
Running unnecessary commands before acquisition
Summary
Acquiring RAM and disk images is the foundation of any forensic investigation.
RAM acquisition preserves volatile evidence such as processes, credentials, encryption keys, and in-memory malware. Disk imaging captures the full file system, deleted files, hidden partitions, and persistent artifacts. Using tools like LiME, dd, dcfldd, and Guymager, along with proper hashing, documentation, and handling procedures, ensures that the collected evidence is accurate, complete, and legally admissible.
Correct acquisition practices enable investigators to analyze a system with confidence and reconstruct the events leading to compromise.