https://orcid.org/0000-0002-9097-2246
1. The Volatility Framework is a completely open collection of tools, implemented in Python for the extraction of digital artifacts from volatile memory (RAM) samples. Volatility is a memory forensics framework, to analyse ram memory dumps for Windows, Linux, and Mac. In order to analyse a operating system’s RAM memory in Volatility, you need to build the corresponding operating system’s profile.The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.Vide this post, I am sharing how to install volatility in Ubuntu 12.04 in a step wise manner.The post includes screen-shots and ready to shoot terminal commands for installing other dependent libraries.
Firstly : Installing Dependencies
sudo apt-get install subversion pcregrep libpcre++-dev python-dev -y
First download PyCRypto from https://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.1.tar.gz
Go to ~/..../Downloads/
cd pycrypto-2.6.1
python setup.py build
sudo python setup.py build install
Distrom ,a disassemble library for x86/AMD64 can be downloaded from https://github.com/gdabah/distorm
Goto downloads where the file is likely downloaded :
unzip distorm3.zip
cd distorm3/
python setup.py build
python setup.py build install
Fourthly: Installing Yara
Volatility needs another important dependency known as Yara,that can be installed as follows:
wget http://yara-project.googlecode.com/files/yara-1.4.tar.gz
tar -zxvf yara-1.4.tar.gz
cd yara-1.4/
sudo ./configure
sudo make
sudo make install
Fifthly : Installing Yara-Python
Download the tar.gz from https://yara-project.googlecode.com/files/yara-python-1.4a.tar.gz
tar -zxvf yara-python-1.4a.tar.gz
cd yara-python-1.4a/
python setup.py build
python setup.py build install
sudo echo “/usr/local/lib” >> /etc/ld.so.conf
sudo ldconfig
~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build
~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build install
The installation is complete now and you should get a similar screen as seen below on running the command python vol.py -h
