skip to Main Content

Volatility Memory Forensics | Installation in Ubuntu

Requirements:
A Windows, Linux, or Mac OS X machine
Python version 2.6 or greater, but not 3.x (already installed on Ubuntu)

Supported Samples
32bit Windows XP Service Pack 2 and 3
32bit Windows 2003 Server Service Pack 0, 1, 2
32bit Windows Vista Service Pack 0, 1, 2
32bit Windows 2008 Server Service Pack 1, 2
32bit Windows 7 Service Pack 0, 1

1.) Installing SVN and Basic Dependencies

# apt-get install subversion pcregrep libpcre++-dev python-dev -y

2.) Installing Distorm3

# wget http://distorm.googlecode.com/files/distorm3-1.0.zip
# unzip distorm3-1.0.zip
# cd distorm3-1.0
# python setup.py build
# python setup.py build install

3.) Installing Yara

# wget http://yara-project.googlecode.com/files/yara-1.6.tar.gz
# tar -xvzf yara-1.6.tar.gz
# cd yara-1.6
# ./configure
# make
# make install

4.) Installing Yara-Python

# wget http://yara-project.googlecode.com/files/yara-python-1.6.tar.gz
# tar -xvzf yara-python-1.6.tar.gz
# cd yara-python-1.6
# python setup.py build
# python setup.py build install

If you are on Ubuntu you will need to also run the following commands:

# echo "/usr/local/lib" >> /etc/ld.so.conf
# ldconfig

5.) Installing GMP

# apt-get install libgmp3-dev

6.) Installing PyCrypto (Python Cryptography Toolkit)

$ wget http://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.3.tar.gz
# tar -xzvf pycrypto-2.3.tar.gz
# cd pycrypto-2.3
# python setup.py build
# python setup.py build install

7.) Installing Sqlite3

$ sudo apt-get install sqlite3 libsqlite3-dev

8.) Installing Volatility 2.0 from SVN

$ svn checkout http://volatility.googlecode.com/svn/trunk Volatility

9.) Installing the Malware Plugins

$ wget http://malwarecookbook.googlecode.com/svn/trunk/malware.py

Place the plugin in the ‘plugins’ directory within the Volatility directory (/Volatility/volatility/plugins/).

10.) Go into your Volatility directory and type

cd Volatility
python vol.py -h

Links:
Volatility – An advanced memory forensics framework
Distorm – Powerful Disassembler Library For x86/AMD64
Yara – A malware identification and classification tool
PyCrypto – The Python Cryptography Toolkit

Memory Samples for Testing:
Memory Samples from Malware Analyst’s Cookbook
Memory Samples by hogfly

Back To Top