2010-11-18

Volatility Memory Forensics I - Installation

2011-4-27 Update: The following is for Volatility 1.3. You should be looking at Volatility 1.4. See blog entry on the subject.


Memory Forensics has been a subject of major interest over the past year or so. This blog article describes my install experience with Volatility – a major memory forensics tool.



After playing with the Sans SIFT workstation forensic toolkit (cf https://computer-forensics2.sans.org/community/siftkit/ ), I decided that a native install of Volatility would be better. Since Volatility requires extensions to python, and installation on Windows apparently requires gymnastics such as the MinGW gcc compiler, I decided to move on to Ubuntu.

Volatility install

This recipe essential follows http://gleeda.blogspot.com/2009/08/volatility-svn.html (Jamie Levy’s) instructions.
First I installed subversion:
        sudo apt-get install subversion libapache2-svn

Next, I downloaded the get_plugins.bsh script by Jaimie Levy. (This is get_plugins.zip in the downloads section of Volatility googlecode website).

As root:

  • Ran the script in /usr/local/src. This installed Volatility + the plugins.
  • Then installed the pkg python-dev using Synaptic Pkg Mgr on Ubuntu (System –> Administration –> Synaptic Package Manager)

Finally

perl -MCPAN -e shell
install Inline::Python

This installs Inline:: base module and other things.

Note that for some reason, I had to reinstall pydasm manually.

Next fire up Volatility and check the installed modules by specifying “--help” to get the list of loaded modules.

python volatility –help

Install MNIN updated plugins


The “Volatility Analyst Pack” is located at: http://mhl-malware-scripts.googlecode.com/files/vap-0.1.zip

This contains plugins not mentioned on the Volatility wiki.

Unzip the archive, then copy the modules to /usr/local/src/volatility/Volatility/memory_plugins (if that is where you have installed Volatility)

Install psscan3 plugin


This one is located through a moyix blog entry. See http://moyix.blogspot.com/2010/07/plugin-post-robust-process-scanner.html

The link to the plugin is: http://www.cc.gatech.edu/~brendan/volatility/dl/psscan3.py

This python module should be copied into /usr/local/src/volatility/Volatility/memory_plugins

Update the source code


rrplugin members

The regripper plugins are found in the “rrplugin” directory. There are “macro” members that call the other individual plugins.

Some of these are commented out and should be made active. Edit the following files to remove the comments:

  • ntuser
  • system
  • software

When finished try the following egrep command to ensure that everything is active:

cd /usr/local/src/volatility/Volatility/rrplugins
egrep "^\#" ntuser sam security system software

Here is the output:

install-regdump

apihooks.py and usermode_hooks2.py

In the memory_plugins directory, update the apihooks.py, and usermode_hooks2.py plugins to comment out the following line:

shutil.rmtree(opts.dir)

The plugins are coded to dump out possibly infected modules, then to delete the entire directory containing these new dumped executables. The change above means that the dump directory will be preserved.

Install Yara


This is a snort-like virus scanner that looks for strings. Certain Volatility plugins use this.

Here is the reference: http://code.google.com/p/yara-project/

I couldn’t find many ready-made signatures for this tool. It is handy if you are searching for a specific signature across a number of modules.

If you want to install this, you first must install pcre. On Ubuntu, with the Synaptic Pkg Mgr, install:

  • libpcre3
  • libpcre3-dev

Download yara-1.4a.tar.gz, then as root:

tar xvzf yara-1.4.tar.gz
cd yara-1.4/
./configure
make
make install

Next install the yara-python extension (as root):

tar xvzf yara-python-1.4a.tar.gz
cd yara-python-1.4a/
python setup.py build
python setup.py install

To get this working, I had to add /usr/local/lib to the loader config file (as root):

echo "/usr/local/lib" >> /etc/ld.so.conf
ldconfig

When you run Volatility, you shouldn’t see any error messages at the start :

python volatility --help

Plugins


Most plugins (not all) are listed in the Forensics Wiki with a brief description:

http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins

Here is a list of the installed plugins:  vol-cmds.txt

References


Moyix’s plugin page: http://www.cc.gatech.edu/~brendan/volatility/

Volatility Googlecode website: http://code.google.com/p/volatility/

19 comments:

cw said...

Thanks for putting this together. I think the lack of a user-friendly installer keeps some people away from this excellent and interesting toolkit.

You say:

"The regripper plugins are found in the “rrplugin” directory. There are “macro” members that call the other individual plugins.

Some of these are commented out and should be made active. Update the following members to remove the comments:

* ntuser
* system
* software
"

I suggest a rewording - "edit the following files and remove the comments". For those unfamiliar with regripper, "update the following members" isn't as clear.

You say:

"If you want to install this, you first must install pcre. On Ubuntu, with the Synaptic Pkg Mgr, install:

* libprce3"

Should be libpcre3 instead :) easily figured out but can't hurt to correct the tyop!

You say:

"Download yara-python-1.4a.tar.gz, then as root:

tar xvzf yara-1.4.tar.gz
cd yara-1.4/
./configure
make
make install"

This should say "Download yara-1.4.tar.gz, then as root" instead.

It would also be nice to see the installation of the malfind plugin as well. That's my next task, it has some dependencies etc.

Thanks for your work!

Curt Wilson @curtw
perpetualhorizon.blogspot.com

Jamie Levy said...

Yeah, I've been meaning to fix the get_plugins script... I had written an explanation in reply to your comment on my blog. I'll do that soon.

Thanks for the documentation, I'm sure many will find it very helpful!

-Gleeda

lorgor said...

Changes made. Thanks for pointing them out.

Rob Dewhirst said...

been using Volatility in SIFT. Just installed this in my desktop Lucid system based on these instructions.

How do I get volatility to work without the absolute path?

python volatility

doesn't work, but using the /usr/local/src/volatility/Volatility/volatility path does.

Rob Dewhirst said...

Gave up and justed aliased python /usr/local/src/vol.....

Vern said...

@Rob

I just made a symbolic link to volatility then moved it to /usr/bin

Commands:

ln -s {path to volatility} vol

sudo mv vol /usr/bin

Since /usr/bin is in the default path, typing 'vol' at any command line will now invoke volatility.

Blogger said...

I have used AVG protection for a few years, and I would recommend this product to all of you.

Best Writing Clues said...

This blog entry give me an idea about the installation of volatility. I have heard about this volatility but I don't know how to install it. After reading this post, I got clear idea about its installation process.

fillikir72518 said...

I’d need to verify with you here. Which is not something I usually do! I take pleasure in studying a post that can make people think. Additionally, thanks for allowing me to remark! online casino games

Sophie Grace said...

This is a great inspiring article.I am pretty much pleased with your good work. Coming site to insta stalker to see more about instagram.

Anonymous said...

This is an informative post and it's very useful and informative. So, I want to thank you for the effort you put into writing this article. Here are some articles about the CPS test 1 second. Check out my latest post on Click Per Second. Please visit my site as well and let me know what you think.

Anonymous said...

If you are interested in the blogging industry, check out the latest posts on the great site. Post-related Spacebar Counter Challenge Speed test. Read the article Spacebar Counter and have a good reading experience.

Peter said...

Installing Memory Forensics can be very frustrating if one got no knowledge about it. My experience was so good because I knew how to install it. Now it's time to avail Inbound Call Center Services for more information.

arianapeter said...

"I found this installation guide for Volatility Memory Forensics quite insightful! As a student diving into digital forensics, mastering tools like Volatility is crucial. The step-by-step instructions provided a clear path. Exploring this while working to do my assignment felt rewarding. It's reassuring to know I can tackle challenges more confidently now. Thanks for sharing!"

Stephen Foust said...

Just as 'Volatility Memory Forensics' explores the intricacies of memory analysis, I'm delving into the depths of real estate school Aiken SC. Just like memory analysis can unveil hidden patterns, my real estate education is revealing the nuances of property transactions. Both fields require sharp insights, making every detail count for success.

velee vlone said...

This detailed installation guide for the Volatility Memory Forensics tool highlights the technicalities involved. Just as the author meticulously installs and configures plugins, a reliable cheap dissertation writing service can systematically enhance your academic pursuits. Both instances require attention to detail and expertise, resulting in a valuable outcome. Just as the author ensures each plugin's functionality, such services ensure a well-structured and coherent dissertation, providing essential assistance for academic success.

Marisa Eckert said...

This is a great introduction to memory forensics! It’s fascinating how technical tools like Volatility help in analyzing volatile memory. In a different yet complex world, theater production also requires precise tools for visualization and execution. At Palco Specialties, we provide solutions like the TAPPS one act double cube, which offers flexibility in stage setups, much like how forensics tools provide flexibility in digital investigations. Both fields require detailed planning for effective results!







anthonygranger said...

The "Volatility Memory Forensics I" guide on installation is a great resource for those delving into memory forensics and cyber investigation. Speaking of exploring essentials, for fashion enthusiasts, the Cross Stitch Summer Collection 2024 from Al Karim Fabric offers an exciting dive into Pakistan's latest seasonal designs. Just as forensics tools evolve to address modern needs, Al Karim Fabric brings fresh, vibrant patterns to meet fashion’s ever-changing landscape.






Joseph said...

Great insights on memory forensics in this post! Similarly, just as installing and setting up tools for forensics requires careful planning, it's essential to plan for dental procedures like tooth extraction. If you’re looking for an affordable and reliable tooth extraction cost near Gulistan-e-Johar, Karachi The Dental Clinic offers high-quality services with transparency in pricing. Visit us to get your dental needs taken care of with professionalism and care.