Volatility

How to get Volatility2.6.1 working / workbench setup

This is a short guide on how to setup Volatility 2.6.1 on a Debian-based Linux workstation.

Git is required to clone the GitHub repository where Volatility and its core files are held.

$ sudo apt install git-all

Clone Volatility from GitHub repository

$ git clone https://github.com/volatilityfoundation/volatility.git

You may have to install python2.7 pip

$ wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
$ python 2.7 get-pip.py

Try and execute volatility to see if you have installed the required dependencies

$ python2.7 vol.py
  
Volatility Foundation Volatility Framework 2.6.1
*** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.malware.servicediff (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.userassist (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getsids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.shellbags (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.evtlogs (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.tcaudit (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.shimcache (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.dumpregistry (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.lsadump (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.registry.amcache (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.malware.svcscan (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.auditpol (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.registry.registryapi (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.envars (ImportError: No module named Crypto.Hash)

You'll need to install pycrypto (addresses crypto.hash) and also distorm3

$ python2.7 -m pip install pycrypto distorm3==3.4.4

If you receive errors such as this during compilation, you may need to install python2.7-dev and build-essential

   compilation terminated.                                                                                                                                                                                                                                                 
    error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
    
    error: invalid command 'egg_info'
$ sudo apt install -y python2.7-dev build-essential

NB: Sometimes there are issues with distorm3, depending on the version previously installed, or how you've setup your workstation. To solve any potential issues, we install version 3.4.4.

pip uninstall distorm3
pip install distorm3==3.4.4

Test Volatility with an image file (please test it with a known good memory sample with a known profile).

$ python vol.py -f /path/to/memdump.mem imageinfo
or
$ python vol.py -f /path/to/memdump.mem kdbgscan

You should see something similar to below (for imageinfo)

$ python vol.py -f memdump.mem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (memdump.mem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002c2a120L
          Number of Processors : 2
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002c2c000L
                KPCR for CPU 1 : 0xfffff88002f00000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2020-04-20 23:23:26 UTC+0000
     Image local date and time : 2020-04-20 19:23:26 -0400

Windows

Coming soon.

Last updated