2010-11-18

Volatility Memory Forensics I - Installation

2011-4-27 Update: The following is for Volatility 1.3. You should be looking at Volatility 1.4. See blog entry on the subject.


Memory Forensics has been a subject of major interest over the past year or so. This blog article describes my install experience with Volatility – a major memory forensics tool.



After playing with the Sans SIFT workstation forensic toolkit (cf https://computer-forensics2.sans.org/community/siftkit/ ), I decided that a native install of Volatility would be better. Since Volatility requires extensions to python, and installation on Windows apparently requires gymnastics such as the MinGW gcc compiler, I decided to move on to Ubuntu.

Volatility install

This recipe essential follows http://gleeda.blogspot.com/2009/08/volatility-svn.html (Jamie Levy’s) instructions.
First I installed subversion:
        sudo apt-get install subversion libapache2-svn

Next, I downloaded the get_plugins.bsh script by Jaimie Levy. (This is get_plugins.zip in the downloads section of Volatility googlecode website).

As root:

  • Ran the script in /usr/local/src. This installed Volatility + the plugins.
  • Then installed the pkg python-dev using Synaptic Pkg Mgr on Ubuntu (System –> Administration –> Synaptic Package Manager)

Finally

perl -MCPAN -e shell
install Inline::Python

This installs Inline:: base module and other things.

Note that for some reason, I had to reinstall pydasm manually.

Next fire up Volatility and check the installed modules by specifying “--help” to get the list of loaded modules.

python volatility –help

Install MNIN updated plugins


The “Volatility Analyst Pack” is located at: http://mhl-malware-scripts.googlecode.com/files/vap-0.1.zip

This contains plugins not mentioned on the Volatility wiki.

Unzip the archive, then copy the modules to /usr/local/src/volatility/Volatility/memory_plugins (if that is where you have installed Volatility)

Install psscan3 plugin


This one is located through a moyix blog entry. See http://moyix.blogspot.com/2010/07/plugin-post-robust-process-scanner.html

The link to the plugin is: http://www.cc.gatech.edu/~brendan/volatility/dl/psscan3.py

This python module should be copied into /usr/local/src/volatility/Volatility/memory_plugins

Update the source code


rrplugin members

The regripper plugins are found in the “rrplugin” directory. There are “macro” members that call the other individual plugins.

Some of these are commented out and should be made active. Edit the following files to remove the comments:

  • ntuser
  • system
  • software

When finished try the following egrep command to ensure that everything is active:

cd /usr/local/src/volatility/Volatility/rrplugins
egrep "^\#" ntuser sam security system software

Here is the output:

install-regdump

apihooks.py and usermode_hooks2.py

In the memory_plugins directory, update the apihooks.py, and usermode_hooks2.py plugins to comment out the following line:

shutil.rmtree(opts.dir)

The plugins are coded to dump out possibly infected modules, then to delete the entire directory containing these new dumped executables. The change above means that the dump directory will be preserved.

Install Yara


This is a snort-like virus scanner that looks for strings. Certain Volatility plugins use this.

Here is the reference: http://code.google.com/p/yara-project/

I couldn’t find many ready-made signatures for this tool. It is handy if you are searching for a specific signature across a number of modules.

If you want to install this, you first must install pcre. On Ubuntu, with the Synaptic Pkg Mgr, install:

  • libpcre3
  • libpcre3-dev

Download yara-1.4a.tar.gz, then as root:

tar xvzf yara-1.4.tar.gz
cd yara-1.4/
./configure
make
make install

Next install the yara-python extension (as root):

tar xvzf yara-python-1.4a.tar.gz
cd yara-python-1.4a/
python setup.py build
python setup.py install

To get this working, I had to add /usr/local/lib to the loader config file (as root):

echo "/usr/local/lib" >> /etc/ld.so.conf
ldconfig

When you run Volatility, you shouldn’t see any error messages at the start :

python volatility --help

Plugins


Most plugins (not all) are listed in the Forensics Wiki with a brief description:

http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins

Here is a list of the installed plugins:  vol-cmds.txt

References


Moyix’s plugin page: http://www.cc.gatech.edu/~brendan/volatility/

Volatility Googlecode website: http://code.google.com/p/volatility/

7 comments:

cw said...

Thanks for putting this together. I think the lack of a user-friendly installer keeps some people away from this excellent and interesting toolkit.

You say:

"The regripper plugins are found in the “rrplugin” directory. There are “macro” members that call the other individual plugins.

Some of these are commented out and should be made active. Update the following members to remove the comments:

* ntuser
* system
* software
"

I suggest a rewording - "edit the following files and remove the comments". For those unfamiliar with regripper, "update the following members" isn't as clear.

You say:

"If you want to install this, you first must install pcre. On Ubuntu, with the Synaptic Pkg Mgr, install:

* libprce3"

Should be libpcre3 instead :) easily figured out but can't hurt to correct the tyop!

You say:

"Download yara-python-1.4a.tar.gz, then as root:

tar xvzf yara-1.4.tar.gz
cd yara-1.4/
./configure
make
make install"

This should say "Download yara-1.4.tar.gz, then as root" instead.

It would also be nice to see the installation of the malfind plugin as well. That's my next task, it has some dependencies etc.

Thanks for your work!

Curt Wilson @curtw
perpetualhorizon.blogspot.com

JL said...

Yeah, I've been meaning to fix the get_plugins script... I had written an explanation in reply to your comment on my blog. I'll do that soon.

Thanks for the documentation, I'm sure many will find it very helpful!

-Gleeda

lorgor said...

Changes made. Thanks for pointing them out.

Rob Dewhirst said...

been using Volatility in SIFT. Just installed this in my desktop Lucid system based on these instructions.

How do I get volatility to work without the absolute path?

python volatility

doesn't work, but using the /usr/local/src/volatility/Volatility/volatility path does.

Rob Dewhirst said...

Gave up and justed aliased python /usr/local/src/vol.....

Vern said...

@Rob

I just made a symbolic link to volatility then moved it to /usr/bin

Commands:

ln -s {path to volatility} vol

sudo mv vol /usr/bin

Since /usr/bin is in the default path, typing 'vol' at any command line will now invoke volatility.

Silvia Jacinto said...

I accidentally viewed your blog and I was so amazed with your work that it touched the deepness of my heart and it made me sentimental. Thanks for posting. Visit my site too.

n8fan.net

www.n8fan.net