In this post I will share with you my first experiences working with Volatility 2.4.
As first use I installed it on a OS X machine, and in this case I hadn't to install Python. Yes, you read corectly, Python, but I'll install it soon on other OS to complete this post and give a complete installation and useage guide for everyone.
Volatility is a framework implemented in Python and it is used to extract digital artifacts from volatile memory.
With the latest version it supports Windows 8, 8.1, 2012 R2 and Mac OS X Mavericks (up to 10.9.4) memory dumps.
For any further information, you can have a look at official volatility web site: volatilityfoundation.org.
Now, let's start with the installation.
Installation
As I already mentioned, Python is required for volatility (2.6 or later, but not 3.0), so check that prerequisite:# python -V
Now check that pycrypto package is installed:
# python
>>> help("modules")
In case your Python installation does't include pycrypto, install it as follows, after downloading it from www.dlitz.net:
# tar zxf pycrypto-2.6.1.tar.gz
# cd pycrypto-2.6.1
# sudo python setup.py build install
# python
>>> help("modules pycrypt")
Here is a list of matching modules. Enter any module name to get more help.
Crypto.SelfTest.Cipher.common - Self-testing for PyCrypto hash modules
Crypto.SelfTest.Hash.common - Self-testing for PyCrypto hash modules
Now download the volatility source code package for Mac from the official repository with this link Volatility 2.4.
Open a shell and uncompress the package:
# tar zxf /tmp/volatility-2.4.tar.gz
The installation of the software is really simple, you only need to run one command:
# cd volatility-2.4
# sudo python setup.py build install
It will take some time to install, and after check the installation with the following command:
# python vol.py --info
As you can see there is the following error:
# python vol.py --info Volatility Foundation Volatility Framework 2.4 *** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.linux.apihooks (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)
*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)
So, what is needed now is the distorm3 Python package (distorm3).
# unzip distorm3-3.3.0.zip
# cd distorm3-3.3.0
# sudo python setup.py build install
Check again the installation:
# cd ../distorm3-3.3.0
# python vol.py --info
Now Volatility is ready to be used.
Usage
Volatility is structured in profiles and plugins:- Profiles are needed to analyse the memory dump. It is needed to specify from which OS the memory dump comes from
- Plugins are the real analysis tools. There are a lot of plugins for various operations.
Profiles are located in:
volatility-2.4/volatility/plugins/overlays/<OS>
Plugins are located in:
volatility-2.4/volatility/plugins/
Now that everything is ready, it is possible to analyse a memory dump with volatility:
# python vol.py --profile=<OS_profile> -f <MemoryDumpFile> <plugin>
The plugin list and description can be found here.
Be patient, learn, share, and play with your memory dumps :-) .
