# Volatility **This is a short guide on how to setup Volatility 2.6.1 on a Debian-based Linux workstation.** Git is required to clone the GitHub repository where Volatility and its core files are held. ``` $ sudo apt install git-all ``` Clone Volatility from GitHub repository ``` $ git clone https://github.com/volatilityfoundation/volatility.git ``` You may have to install python2.7 pip ``` $ wget https://bootstrap.pypa.io/pip/2.7/get-pip.py $ python 2.7 get-pip.py ``` Try and execute volatility to see if you have installed the required dependencies ``` $ python2.7 vol.py Volatility Foundation Volatility Framework 2.6.1 *** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined) *** Failed to import volatility.plugins.malware.servicediff (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.userassist (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.getsids (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.shellbags (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.evtlogs (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.tcaudit (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.shimcache (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.dumpregistry (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.lsadump (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined) *** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3) *** Failed to import volatility.plugins.registry.amcache (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3) *** Failed to import volatility.plugins.malware.svcscan (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.auditpol (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined) *** Failed to import volatility.plugins.registry.registryapi (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3) *** Failed to import volatility.plugins.envars (ImportError: No module named Crypto.Hash) ``` You'll need to install pycrypto (addresses crypto.hash) and also distorm3 ``` $ python2.7 -m pip install pycrypto distorm3==3.4.4 ``` If you receive errors such as this during compilation, you may need to install python2.7-dev and build-essential ``` compilation terminated. error: command 'x86_64-linux-gnu-gcc' failed with exit status 1 error: invalid command 'egg_info' ``` ``` $ sudo apt install -y python2.7-dev build-essential ``` NB: Sometimes there are issues with distorm3, depending on the version previously installed, or how you've setup your workstation. To solve any potential issues, we install version 3.4.4. ``` pip uninstall distorm3 pip install distorm3==3.4.4 ``` Test Volatility with an image file (please test it with a [known good memory sample ](https://github.com/stuxnet999/MemLabs)with a known profile). ``` $ python vol.py -f /path/to/memdump.mem imageinfo or $ python vol.py -f /path/to/memdump.mem kdbgscan ``` You should see something similar to below (for imageinfo) ``` $ python vol.py -f memdump.mem imageinfo Volatility Foundation Volatility Framework 2.6.1 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (memdump.mem) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80002c2a120L Number of Processors : 2 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002c2c000L KPCR for CPU 1 : 0xfffff88002f00000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2020-04-20 23:23:26 UTC+0000 Image local date and time : 2020-04-20 19:23:26 -0400 ``` **Windows** Coming soon. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.iblue.team/memory-forensics-1/volatility-plugins.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.