{"id":13790830,"url":"https://github.com/kd8bny/LiMEaide","last_synced_at":"2025-05-12T09:33:24.714Z","repository":{"id":44329108,"uuid":"79495753","full_name":"kd8bny/LiMEaide","owner":"kd8bny","description":"A python application designed to remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host.","archived":false,"fork":false,"pushed_at":"2020-08-26T14:34:27.000Z","size":8076,"stargazers_count":161,"open_issues_count":2,"forks_count":45,"subscribers_count":14,"default_branch":"master","last_synced_at":"2024-11-18T05:38:29.788Z","etag":null,"topics":["digital-forensics","linux","memory-dump","volatility-profiles"],"latest_commit_sha":null,"homepage":"https://kd8bny.github.io/LiMEaide/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kd8bny.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-01-19T21:12:55.000Z","updated_at":"2024-09-21T10:59:51.000Z","dependencies_parsed_at":"2022-08-30T05:41:37.474Z","dependency_job_id":null,"html_url":"https://github.com/kd8bny/LiMEaide","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kd8bny%2FLiMEaide","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kd8bny%2FLiMEaide/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kd8bny%2FLiMEaide/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kd8bny%2FLiMEaide/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kd8bny","download_url":"https://codeload.github.com/kd8bny/LiMEaide/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253709434,"owners_count":21951140,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["digital-forensics","linux","memory-dump","volatility-profiles"],"created_at":"2024-08-03T22:00:51.730Z","updated_at":"2025-05-12T09:33:23.679Z","avatar_url":"https://github.com/kd8bny.png","language":"Python","funding_links":[],"categories":["Tools"],"sub_categories":["Analysis / Gathering tool (Know your ennemies)"],"readme":"# LiMEaide\n## v2.0\n## by Daryl Bennett - kd8bny[at]gmail[dot]com\n\n## About\nLiMEaide is a python application designed to remotely or locally dump RAM of a Linux client and create a volatility profile for later analysis on your local host. I hope that this will simplify Linux digital forensics in a remote environment. In order to use LiMEaide all you need to do is feed a remote Linux client IP address, sit back, and consume your favorite caffeinated beverage.\n\nLiMEaide has 3 primary modes of operation\n\n1. Remote - Initiates connection with SSH and transfers data over SFTP\n2. Socket - Initiates a connection with SSH but transfers the memory image over a TCP socket. This means that the image is NOT written to disk. Tools are still transfered over SFTP.\n3. Locally - Have a copy of LiMEiade on a flash drive or other device. Does not transfer any data to the client, maintain execution in its working directory. All transfers are completed with internal methods and no network sockets are opened.\n\n## Wiki\nFor more detailed usage checkout the [wiki](https://github.com/kd8bny/LiMEaide/wiki)\n\n## How To\n### TL;DR\n#### Remote\n```\npython3 limeaide.py \u003cIP\u003e\n```\nand magic happens.\n#### Local\n```\npython3 limeaide.py local\n```\nand local magic happens.\n\nLocal transfer requires the machine to have python 3 installed and dependencies. I recommend using python3-virtualenv to provide dependencies without installing on the system.\n\n### Detailed usage\n```\nlimeaide.py [OPTIONS] REMOTE_IP\n-h, --help\n    Shows the help dialog\n\n-u, --user : \u003cuser\u003e\n    Execute memory grab as sudo user. This is useful when root privileges are not granted.\n\n-k, --key : \u003cpath to key\u003e \n    Use a SSH Key to connect\n\n-s, --socket : \u003cport\u003e \n    Use a TCP socket instead of a SFTP session to transfer data. Does not write the memory image to disk, but will transfer other needed files.\n\n-o, --output : \u003cName desired for output\u003e \n    Name the output file\n\n-f, --format : \u003cFormat for LiME\u003e\n    Change the output format. Valid options are raw|lime|padded\n\n-d, --digest : \u003cdigest\u003e\n    Use a different digest algorithm. See LiME docs for valid options\n    Use 'None' to disable. \n\n-C, --compress\n    Compress transfer over the wire. This will not work with socket or local transfers.\n\n-p, --profile : \u003cdistro\u003e \u003ckernel version\u003e \u003carch\u003e\n    Skip the profiler by providing the distribution, kernel version, and architecture of the remote client.\n\n-N, --no-profiler\n    Do NOT run profiler and force the creation of a new module/profile for the client.\n\n-c, --case : \u003ccase num\u003e\n    Append case number to front of output directory.\n\n-v, --verbose\n    Display verbose output\n\n--force-clean\n    If previous attempt failed then clean up client\n```\n\n- For more detailed usage checkout the [wiki](https://github.com/kd8bny/LiMEaide/wiki)\n- For editing the configuration file see [here](https://github.com/kd8bny/LiMEaide/wiki/The-Config-File)\n- To import modules or external modules, just copy the module `*.ko` into the profiles directory. After you copy run LiMEaide and the profiler will recognize the new profile.\n\n```\n./profiles/\n```\n\n## Set-up\n### Dependencies\n#### python\n- DEB base\n```\nsudo apt-get install python3-paramiko python3-termcolor\n```\n- RPM base\n```\nsudo yum install python3-paramiko python3-termcolor\n```\n- pip3\n```\nsudo pip3 install paramiko termcolor\n```\n\n#### Installing dwarfdump\nIn order to build a volatility profile we need to be able to read the debugging symbols in the LKM. For this we need to install dwarfdump.\nIf you encounter any issues finding/installing dwarfdump see the volatility page [here](https://github.com/volatilityfoundation/volatility/wiki/Linux#creating-a-new-profile)\n- DEB package manager\n```\nsudo apt-get install dwarfdump\n```\n\n- RPM package manager\n```\nsudo yum install libdwarf-tools\n```\n\n#### LiME\n##### Auto-Install\nBy default LiMEaide will automatically download and place LiME in the correct directory. However, if you are disconnected from a network proceed with manual installation method in the section below.\n##### Manually install LiME\nIn order to use LiME you must download and move the source into the **LiMEaide/tools** directory. Make sure the the LiME folder is named **LiME**. The full path should be as follows:\n```\nLiMEaide/tools/LiME/\n```\nHow to...\n\n 1. Download [LiME v1.8.1](https://github.com/504ensicsLabs/LiME/archive/v1.8.1.zip)\n 2. Extract into `LiMEaide/tools/`\n 3. Rename folder to `LiME`\n\n## Limits at this time\n- Only supports bash. Use other shells at your own risk\n- Modules must be built on remote client. Therefore remote client must have proper headers installed.\n  - Unless you follow [this](https://github.com/kd8bny/LiMEaide/wiki/Building-Out-of-Tree-Modules) guide for compiling external kernel modules. Once compiled, copy module **.ko** to LiMEaide profiles directory.\n\n## Special Thanks and Notes\n* The idea for this application was built upon the concept dreamed up by and the [Linux Memory Grabber](https://github.com/halpomeranz/lmg) project\n* And of course none of this could be possible without the amazing [LiME](https://github.com/504ensicsLabs/LiME) project\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkd8bny%2FLiMEaide","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkd8bny%2FLiMEaide","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkd8bny%2FLiMEaide/lists"}