Although a bit old, Volatility Framework is still one of the favourite tools for memory forensic investigations. Its wide range of plugins enables easy extraction, although without a fancy interface, of a lot of important pieces of information.
Today, we’ll walk through the process of installing volatility framework on an fresh installation of Ubuntu. Let’s kick this off:
Part 1: Creating a VM and installing Ubuntu
My personal favourite is VMWare Workstation Pro, but you can easily use VirtualBox to achieve the same goal.
1. Download Ubuntu 18.04LTS from this link:
2. Create a new VM with 4GB of RAM, and at least 20GB (I recommend 40GB to have some space for the memory dumps you’ll examine)
3. Create a username and a password of your choice. For my installation, I’ll use “mohammed” as my username.
4. Leave the rest of the installation settings to the default.
Part 2: Preparing the Python environment
Volatility Framework was written for python 2.x, not 3.x. This means that you’ll need to prepare an environment of python 2.x with all the dependencies.
1. Download Miniconda from this link:
2. Start the installation at the terminal window by moving to the ~/Downloads folder and issuing the following command:
sudo sh Miniconda3-py39_4.10.3-Linux-x86_64.sh
Change this “Miniconda3-py39_4.10.3-Linux-x86_64.sh” to the name of the file you just downloaded if it is different. During the installation, leave the installation location to the default, and respond with “yes” to “Do you wish the installer to initialize Miniconda3”.
3. After the installation is done, close the terminal window and open a new one. You should see the prompt
(base) before your terminal prompt. Just like this:
4. To check the version of Python that is currently installed, type the command:
It should show you 3.9.5.
5. to be able to create a new conda environment, you will need to change the ownership of the .conda folder in your miniconda installation. This can be done by:
sudo chown mohammed:mohammed /home/mohammed/.conda
Replace all the “mohammed”s in this command with your selected username, including the folder name.
6. As Volatility Framework requires Python 2, not 3, we will create a new environment using the following commands:
conda create --name py2.7 python=2.7
7. After the creation of the new conda environment, we can activate it using the command:
conda activate py2.7
This will change the prompt to py2.7.
8. Now we will re-check the version of python using the command:
It should show 2.7.18.
9. Now we install the libraries needed by volatility using these commands:
sudo apt install pcregrep libpcre++-dev python-dev git gcc -y
pip install distorm3
pip install yara-python
pip install PyCrypto
pip install pillow
pip install OpenPyxl
pip install ujson
Part 3: Installing and Using Volatility Framework
1. Move to the ~/ folder using
cd ~/ command.
2. Download the volatility framework using this command:
git clone https://github.com/volatilityfoundation/volatility.git
3. Change the folder to ~/volatility using the command
4. Test the installation using the command:
python vol.py –info
5. Take a look at the different plugins and profiles. You’ll notice that the profiles included in the framework are all Windows profiles. The framework doesn’t include any Linux or Mac profiles by default. You’ll need to download these profiles from here:
6. For Linux profiles, it is tricky to find the profile that fits your particular distribution and kernel versions. It is a common practice that you compile a profile from the machine where you’re capturing the memory dump using tools such as “Lime”.
7. A typical command to have the framework check automatically what is the most suitable profile would look like this:
python vol.py --file="/home/mohammed/Desktop/memdump.dump" imageinfo
After finding the suitable profile for your memory dump, you can issue commands like this:
python vol.py --file="/home/mohammed/Desktop/memdump.dump" --profile=Win7SP1x64 psscan
psscan plugin would show you the processes running in memory at the time of the capture.