How to get Volatility2.6.1 working / workbench setup
This is a short guide on how to setup Volatility 2.6.1 on a Debian-based Linux workstation.
Git is required to clone the GitHub repository where Volatility and its core files are held.
$ sudo apt install git-all
Clone Volatility from GitHub repository
$ git clone https://github.com/volatilityfoundation/volatility.git
Install Volatility dependencies
$ python vol.py
Volatility Foundation Volatility Framework 2.6.1
*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)
ERROR : volatility.debug : You must specify something to do (try -h)
NB: Sometimes there are issues with distorm3, depending on the version previously installed, or how you've setup your workstation. To solve any potential issues, we install version 3.4.4.
pip uninstall distorm3
pip install distorm3==3.4.4
Test Volatility with an image file (please test it with a known good memory sample with a known profile).
$ python vol.py -f /path/to/memdump.mem imageinfo
$ python vol.py -f /path/to/memdump.mem kdbgscan
You should see something similar to below (for imageinfo)
$ python vol.py -f memdump.mem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (memdump.mem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002c2a120L
Number of Processors : 2
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002c2c000L
KPCR for CPU 1 : 0xfffff88002f00000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-04-20 23:23:26 UTC+0000
Image local date and time : 2020-04-20 19:23:26 -0400
Coming soon.