Volatility is a memory forensics framework, to analyse ram memory dumps for Windows, Linux, and Mac. In order to analyse a operating system’s RAM memory in Volatility, you need to build the corresponding operating system’s profile. By default the Windows profile is built inside Volatility. Other than Windows, if you are analysing a Linux or a Mac memory dump, then you have to build the profiles accordingly. Most important thing to note is, you cannot build a profile for a Ubuntu 3.13 system to analyse a memory dump from Ubuntu 3.10 system. In this article, I am going to show you how you can install volatility in your machine and in the next blog I will show you how to create linux profiles to analyse Linux based RAM memory. Please see, I am using Ubuntu 12.04, amd_64. Also, install the packages in the order which is followed before. Make sure that there are no errors appearing while installing the dependencies and libraries.
[Update] You can also refer to Volatility’s github for the latest updates about dependencies.
Step 1: Installing dependencies
h1dd3ntru7h@bi0s:~$ sudo apt-get install subversion pcregrep libpcre++-dev python-dev -y
Step 2: Installing PyCrypto
You can either use pip to install the library or you can download the source from here and install.
h1dd3ntru7h@bi0s:~/Apps$ tar -zxvf pycrypto-2.6.1.tar.gz
h1dd3ntru7h@bi0s:~/Apps/pycrypto-2.6.1$ python setup.py build
h1dd3ntru7h@bi0s:~/Apps/pycrypto-2.6.1$ sudo python setup.py build install
Step 3: Installing Distrom
Distrom is a disassemble library for x86/AMD64. You can download the source from here.
h1dd3ntru7h@bi0s:~/Apps/distorm3$ unzip distorm3.zip
h1dd3ntru7h@bi0s:~/Apps$ cd distorm3/
h1dd3ntru7h@bi0s:~/Apps/distorm3$ python setup.py build
h1dd3ntru7h@bi0s:~/Apps/distorm3$ python setup.py build install
Step 4: Installing Yara
Volatility supports many plugins which helps to identify malwares from memory dumps. Many plugins which are based on malwares uses Yara library. You can download the recent version availabe, but for this demo I am using the older version of the yara.
h1dd3ntru7h@bi0s:~/Apps$ wget http://yara-project.googlecode.com/files/yara-1.4.tar.gz
h1dd3ntru7h@bi0s:~/Apps$tar -zxvf yara-1.4.tar.gz
h1dd3ntru7h@bi0s:~/Apps$ cd yara-1.4/
h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo ./configure
h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo make
h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo make install
Step 5: Installing Yara Python
Please follow the instructions in Step 4 before installing Yara Python. You can download the Yara Python1.4a source from here. Please see, if you downloaded a different version of Yara in step 4, then do download a compatible version of Yara Python.
h1dd3ntru7h@bi0s:~/Apps$ tar -zxvf yara-python-1.4a.tar.gz
h1dd3ntru7h@bi0s:~/Apps$ cd yara-python-1.4a/
h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ python setup.py build
h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ python setup.py build install
h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ echo “/usr/local/lib” >> /etc/ld.so.conf
h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ ldconfig
We are done with installing the dependencies, now will install the Volatility framework. Please download the source from here. You can download and use it wherever you want. Once after downloading, extract to a directory.
h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build
h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build install
This will complete the installation and if everything went in the right way, then you should get a similar stdout,
h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python vol.py -h
Volatility Foundation Volatility Framework 2.3.1
Usage: Volatility – A memory forensics analysis platform.
Options:
-h, –help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
–conf-file=/home/h1dd3ntru7h/.volatilityrc
[stripped]
[…] I said, in my previous blog, it is necessary to note, that you need a compatible system profile to analyse a RAM memory dump. […]