skip to Main Content

How to install Volatility on Mac OS X (Version 10.8.4)

## Requirements ##

1.) Installing Xcode
Install Xcode from the Mac App Store.
Launch Xcode and agree to the Xcode License Agreement. Go to ‘Xcode’ –> ‘Preferences…’

Xcode

Click on the ‘Downloads’ preferences panel, and you’ll see Command Line Tools in the ‘Components’ tab.
Click the ‘Install’ button to install the Command Line Tools.

2.) Installing Homebrew

$ ruby -e "$(curl -fsSL https://raw.github.com/mxcl/homebrew/go)"
$ brew doctor

3.) Installing XQuartz

http://xquartz.macosforge.org/landing/
Download: http://xquartz.macosforge.org/downloads/SL/XQuartz-2.7.4.dmg
Install XQuartz

4.) Installing Wine with Homebrew

$ brew install wine

Note: Keeping Wine up-to-date:

$ brew update && brew upgrade

5.) Installing Wget with Homebrew

$ brew install wget

6.) Installing pcre with Homebrew

$ brew install pcre

7.) Installing pip

$ sudo easy_install pip

## Recommended packages ##

Note: Change ownership of ‘opt’ directory to your user account:

$ sudo chown -R [USERNAME] /opt --> sudo chown -R evild3ad /opt

8.) Installing Distorm3

$ cd /opt/
$ wget http://distorm.googlecode.com/files/distorm-package3.1.zip
$ unzip distorm-package3.1.zip
$ rm distorm-package3.1.zip
$ cd /opt/distorm3
$ python setup.py build
$ sudo python setup.py install

9.) Installing Yara

$ cd /opt/
$ wget http://yara-project.googlecode.com/files/yara-1.7.tar.gz
$ tar xvzf yara-1.7.tar.gz
$ rm yara-1.7.tar.gz
$ mv yara-1.7 yara
$ cd /opt/yara
$ ./configure
$ make
$ sudo make install

10.) Installing Yara-Python

$ cd /opt/
$ wget http://yara-project.googlecode.com/files/yara-python-1.7.tar.gz
$ tar xvzf yara-python-1.7.tar.gz
$ rm yara-python-1.7.tar.gz
$ mv yara-python-1.7 yara-python
$ cd /opt/yara-python
$ python setup.py build
$ sudo python setup.py install

Test by running python shell:

$ python
>>> import yara
>>>

11.) Installing PyCrypto

$ cd /opt/
$ wget https://pypi.python.org/packages/source/p/pycrypto/pycrypto-2.6.tar.gz
$ tar xvzf pycrypto-2.6.tar.gz
$ rm pycrypto-2.6.tar.gz
$ mv pycrypto-2.6 pycrypto
$ cd /opt/pycrypto
$ python setup.py build
$ sudo python setup.py install

12.) Installing PIL – Python Imaging Library

$ sudo pip install PIL

13.) Installing OpenPyxl

$ sudo pip install openpyxl

14.) Installing Graphviz

$ brew install libtool (not necessary if you have already installed Wine)
www.graphviz.org/Download_macos.php
Download: www.graphviz.org/pub/graphviz/stable/macos/mountainlion/graphviz-2.32.0.pkg
Install Graphviz

Usage:

# ./vol.py psscan -f /opt/memory-samples/Shylock.vmem --output=dot --output-file=psscan.dot
# dot -Tpng psscan.dot -o psscan.png

## Optional packages ##

15.) Installing pytz

$ cd/opt/
$ wget http://downloads.sourceforge.net/pytz/pytz/2006p/pytz-2006p.zip
$ unzip pytz-2006p.zip
$ rm pytz-2006p.zip
$ mv pytz-2006p pytz
$ cd /opt/pytz
$ python setup.py build
$ sudo python setup.py install

16.) IPython
Installing Anaconda:

$ cd ~/Downloads
$ wget http://09c8d0b2229f813c1b93-c95ac804525aac4b6dba79b00b39d1d3.r79.cf1.rackcdn.com/Anaconda-1.6.1-MacOSX-x86_64.sh
$ bash <downloaded file> --> $ bash Anaconda-1.6.1-MacOSX-x86_64.sh

Installing IPython:

$ conda update conda
$ conda update ipython

17.) pyxpress

$ cd/opt/
$ mkdir pyxpress
$ cd /opt/pyxpress
$ wget http://volatility.googlecode.com/svn/branches/scudette/contrib/pyxpress/README
$ wget http://volatility.googlecode.com/svn/branches/scudette/contrib/pyxpress/pyxpress.c
$ wget http://volatility.googlecode.com/svn-history/r1609/branches/scudette/contrib/pyxpress/setup.py
$ python setup.py build
$ sudo python setup.py install

18.) libforensic1394

$ cd /opt/
$ git clone git://git.freddie.witherden.org/forensic1394.git
$ cd forensic1394
www.cmake.org/cmake/resources/software.html
Download: www.cmake.org/files/v2.8/cmake-2.8.11.2-Darwin64-universal.dmg
Install CMake
$ cmake CMakeLists.txt
$ sudo make install
$ cd python
$ sudo python setup.py install

19.) Sysinternals Strings

$ cd /opt/
$ mkdir Tools
$ cd /opt/Tools
$ wget http://download.sysinternals.com/files/Strings.zip
$ unzip Strings.zip
$ rm Strings.zip && rm Eula.txt

Usage:

$ cd /opt/Tools
$ wine strings.exe -q -o /opt/memory-samples/zeus.vmem > /opt/zeus-analysis/strings/sysinternals_strings_complete.txt
$ cd /opt/Volatility
$ ./vol.py --profile=Win7SP1x86 strings -f /opt/memory-samples/zeus.vmem -s /opt/zeus-analysis/strings/sysinternals_strings_complete.txt --output-file=/opt/zeus-analysis/strings/vol_strings_complete.txt
$ less /opt/zeus-analysis/strings/vol_strings_complete.txt

Volatility (Code Repository)

## Volatility ##

20.) Installing Volatility 2.3_beta

$ cd /opt/
$ sudo svn checkout http://volatility.googlecode.com/svn/trunk Volatility
$ cd /opt/Volatility
$ sudo chmod +x vol.py

21.) Go into your Volatility directory and check your supported plugin commands

$ cd /opt/Volatility
$ ./vol.py -h

Note: To update your repository you can run the following command from inside the trunk directory:

$ cd /opt/Volatility
$ sudo svn update

Links:
Basic Usage for Volatility 2.3
Command Reference for Volatility 2.3
Cheat Sheet v2.3
Community Docs
Memory Samples

This Post Has One Comment
  1. I’m a total Mac OS X newbie, but a developer by trait. I did your instructions to install Volatility 2.3 on Mavericks 10.9.4, and it worked! (awesome) but here are some differences and/or comments:
    ==========
    Error in ‘./configure’ for yara (yara mac ox x Undefined symbols for architecture x86_64), so did:

    $./configure CFLAGS=-std=gnu89
    $make clean
    $make

    ====================
    $ sudo pip install PIL
    Downloading/unpacking PIL
    Could not find any downloads that satisfy the requirement PIL

    So, instead of:
    sudo pip install PIL

    did:
    sudo pip install pillow

    ==================
    downloaded: graphviz-2.38.0.pkg

Comments are closed.

Back To Top