ubuntu

Installing Volatility Framework on an Ubuntu Virtual Machine

Edit 19-Feb-2024: This article was written for Volatility 2 which was based on Python 2.x.

Although a bit old, Volatility Framework is still one of  the favourite tools for memory forensic investigations. Its wide range of plugins enables easy extraction, although without a fancy interface, of a lot of important pieces of information.

Today, we’ll walk through the process of installing volatility framework on an fresh installation of Ubuntu. Let’s kick this off:

Part 1: Creating a VM and installing Ubuntu

My personal favourite is VMWare Workstation Pro, but you can easily use VirtualBox to achieve the same goal.

1. Download Ubuntu 18.04LTS from this link:

https://releases.ubuntu.com/18.04.6/ubuntu-18.04.6-desktop-amd64.iso

2. Create a new VM with 4GB of RAM, and at least 20GB (I recommend 40GB to have some space for the memory dumps you’ll examine)

3. Create a username and a password of your choice. For my installation, I’ll use “mohammed” as my username.

4. Leave the rest of the installation settings to the default.

Part 2: Preparing the Python environment

Volatility Framework was written for python 2.x, not 3.x. This means that you’ll need to prepare an environment of python 2.x with all the dependencies.

1. Download Miniconda from this link:

https://docs.conda.io/en/latest/miniconda.html#linux-installers

2. Start the installation at the terminal window by moving to the ~/Downloads folder and issuing the following command:

sudo sh Miniconda3-py39_4.10.3-Linux-x86_64.sh

Change this “Miniconda3-py39_4.10.3-Linux-x86_64.sh” to the name of the file you just downloaded if it is different. During the installation, leave the installation location to the default, and respond with “yes” to “Do you wish the installer to initialize Miniconda3”.

3. After the installation is done, close the terminal window and open a new one. You should see the prompt (base) before your terminal prompt. Just like this:

4. To check the version of Python that is currently installed, type the command:

python --version

It should show you 3.9.5.

5. to be able to create a new conda environment, you will need to change the ownership of the .conda folder in your miniconda installation. This can be done by:

sudo chown mohammed:mohammed /home/mohammed/.conda

Replace all the “mohammed”s in this command with your selected username, including the folder name.

6. As Volatility Framework requires Python 2, not 3, we will create a new environment using the following commands:

conda create --name py2.7 python=2.7

7. After the creation of the new conda environment, we can activate it using the command:

conda activate py2.7

This will change the prompt to py2.7.

8. Now we will re-check the version of python using the command:

python --version

It should show 2.7.18.

9. Now we install the libraries needed by volatility using these commands:

sudo apt install pcregrep libpcre++-dev python-dev git gcc -y

pip install distorm3

pip install yara-python

pip install PyCrypto

pip install pillow

pip install OpenPyxl

pip install ujson

Part 3: Installing and Using Volatility Framework

1. Move to the ~/ folder using cd ~/ command.

2. Download the volatility framework using this command:

git clone https://github.com/volatilityfoundation/volatility.git

3. Change the folder to ~/volatility using the command cd volatility

4. Test the installation using the command:

python vol.py –info

5. Take a look at the different plugins and profiles. You’ll notice that the profiles included in the framework are all Windows profiles. The framework doesn’t include any Linux or Mac profiles by default. You’ll need to download these profiles from here:

https://github.com/volatilityfoundation/profiles

6. For Linux profiles, it is tricky to find the profile that fits your particular distribution and kernel versions. It is a common practice that you compile a profile from the machine where you’re capturing the memory dump using tools such as “Lime”.

7. A typical command to have the framework check automatically what is the most suitable profile would look like this:

python vol.py --file="/home/mohammed/Desktop/memdump.dump" imageinfo

After finding the suitable profile for your memory dump, you can issue commands like this:

python vol.py --file="/home/mohammed/Desktop/memdump.dump" --profile=Win7SP1x64 psscan

The psscan plugin would show you the processes running in memory at the time of the capture.