# Volatility **This is a short guide on how to setup Volatility 2.6.1 on a Debian-based Linux workstation.** Git is required to clone the GitHub repository where Volatility and its core files are held. ``` $ sudo apt install git-all ``` Clone Volatility from GitHub repository ``` $ git clone https://github.com/volatilityfoundation/volatility.git ``` You may have to install python2.7 pip ``` $ wget https://bootstrap.pypa.io/pip/2.7/get-pip.py $ python 2.7 get-pip.py ``` Try and execute volatility to see if you have installed the required dependencies ``` $ python2.7 vol.py Volatility Foundation Volatility Framework 2.6.1 *** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined) *** Failed to import volatility.plugins.malware.servicediff (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.userassist (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.getsids (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.shellbags (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.evtlogs (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.tcaudit (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.shimcache (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.dumpregistry (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.lsadump (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined) *** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3) *** Failed to import volatility.plugins.registry.amcache (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3) *** Failed to import volatility.plugins.malware.svcscan (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.auditpol (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined) *** Failed to import volatility.plugins.registry.registryapi (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3) *** Failed to import volatility.plugins.envars (ImportError: No module named Crypto.Hash) ``` You'll need to install pycrypto (addresses crypto.hash) and also distorm3 ``` $ python2.7 -m pip install pycrypto distorm3==3.4.4 ``` If you receive errors such as this during compilation, you may need to install python2.7-dev and build-essential ``` compilation terminated. error: command 'x86_64-linux-gnu-gcc' failed with exit status 1 error: invalid command 'egg_info' ``` ``` $ sudo apt install -y python2.7-dev build-essential ``` NB: Sometimes there are issues with distorm3, depending on the version previously installed, or how you've setup your workstation. To solve any potential issues, we install version 3.4.4. ``` pip uninstall distorm3 pip install distorm3==3.4.4 ``` Test Volatility with an image file (please test it with a [known good memory sample ](https://github.com/stuxnet999/MemLabs)with a known profile). ``` $ python vol.py -f /path/to/memdump.mem imageinfo or $ python vol.py -f /path/to/memdump.mem kdbgscan ``` You should see something similar to below (for imageinfo) ``` $ python vol.py -f memdump.mem imageinfo Volatility Foundation Volatility Framework 2.6.1 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (memdump.mem) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80002c2a120L Number of Processors : 2 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002c2c000L KPCR for CPU 1 : 0xfffff88002f00000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2020-04-20 23:23:26 UTC+0000 Image local date and time : 2020-04-20 19:23:26 -0400 ``` **Windows** Coming soon.