Create memory dump:

dd if=/dev/fmem of=/tmp/<MEMORY FILE NAME>.dd

Create memory dump using LiME:

Ref. https://github.com/504ensicslabs/lime

wget [<https://github.com/504ensicslabs/LiME/archive/master.zip>](<https://github.com/504ensicslabs/LiME/archive/master.zip>)

unzip master.zip

cd LiME-master/src

make

cp lime-*,ko /media/=/media/ExternalUSBDriveName/

insmod lime-3.13.0-79-generic.ko
"path=/media/ExternalUSBDriveName/<MEMORY DUMP>, lime format=raw"

Make copy of suspicious process using process ID:

cp /proc/<SUSPICIOUS PROCESS ID>/exe /<NEW SAVED LOCATION>

Grab memory core dump of suspicious process:

gcore <PIO>

Strings on gcore file:

strings gcore.*

Create a hard drive/partition copy with tog and hash options:

dd if=<INPUT DEVICE> of=<IMAGE FILE NAME>
dc3dd if=/dev/<TARGET DRIVE EXAMPLE SDA OR SDAl>
of=/dev/<MOUNTED LOCATION>\\<FILE NAME>.img hash=md5
log=/<MOUNTED LOCATION>/<LOG NAME>.log

Create a remote hard drive/partition over SSH:

dd if=/dev/<INPUT DEVICE> | ssh <USER NAME>@<DESTINATION IP ADDRESS> "dd of=<DESTINATION PATH>"

Send hard drive image zipped over netcat: Sending host:

bzip2 -c /dev/<INPUT DEVICE> | nc <DESTINATION IP ADDRESS> <PICK A PORT>

Receiving host:

nc -p <PICK SAME PORT> -l |bzip2 -d | dd of=/dev/sdb

Send hard drive image over netcat: Sending host: