Volatility
How to get Volatility2.6.1 working / workbench setup
PreviousIdentification, acquisition, and examination of iSCSI LUNs and VMFS datastoresNextVolatility3 core commands
Last updated
Was this helpful?
How to get Volatility2.6.1 working / workbench setup
Last updated
Was this helpful?
Was this helpful?
This is a short guide on how to setup Volatility 2.6.1 on a Debian-based Linux workstation.
Git is required to clone the GitHub repository where Volatility and its core files are held.
$ sudo apt install git-allClone Volatility from GitHub repository
$ git clone https://github.com/volatilityfoundation/volatility.gitYou may have to install python2.7 pip
$ wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
$ python 2.7 get-pip.pyTry and execute volatility to see if you have installed the required dependencies
$ python2.7 vol.py
Volatility Foundation Volatility Framework 2.6.1
*** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.malware.servicediff (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.userassist (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getsids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.shellbags (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.evtlogs (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.tcaudit (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.shimcache (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.dumpregistry (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.lsadump (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.registry.amcache (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.malware.svcscan (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.auditpol (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.registry.registryapi (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.envars (ImportError: No module named Crypto.Hash)
You'll need to install pycrypto (addresses crypto.hash) and also distorm3
$ python2.7 -m pip install pycrypto distorm3==3.4.4If you receive errors such as this during compilation, you may need to install python2.7-dev and build-essential
compilation terminated.
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
error: invalid command 'egg_info'$ sudo apt install -y python2.7-dev build-essentialNB: Sometimes there are issues with distorm3, depending on the version previously installed, or how you've setup your workstation. To solve any potential issues, we install version 3.4.4.
pip uninstall distorm3
pip install distorm3==3.4.4Test Volatility with an image file (please test it with a known good memory sample with a known profile).
$ python vol.py -f /path/to/memdump.mem imageinfo
or
$ python vol.py -f /path/to/memdump.mem kdbgscanYou should see something similar to below (for imageinfo)
$ python vol.py -f memdump.mem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (memdump.mem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002c2a120L
Number of Processors : 2
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002c2c000L
KPCR for CPU 1 : 0xfffff88002f00000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-04-20 23:23:26 UTC+0000
Image local date and time : 2020-04-20 19:23:26 -0400Windows
Coming soon.