2011-4-27 Update: The following is for Volatility 1.3. You should be looking at Volatility 1.4. See blog entry on the subject.
Memory Forensics has been a subject of major interest over the past year or so. This blog article describes my install experience with Volatility – a major memory forensics tool.
After playing with the Sans SIFT workstation forensic toolkit (cf https://computer-forensics2.sans.org/community/siftkit/ ), I decided that a native install of Volatility would be better. Since Volatility requires extensions to python, and installation on Windows apparently requires gymnastics such as the MinGW gcc compiler, I decided to move on to Ubuntu.
Volatility installThis recipe essential follows http://gleeda.blogspot.com/2009/08/volatility-svn.html (Jamie Levy’s) instructions.
First I installed subversion:
sudo apt-get install subversion libapache2-svn
Next, I downloaded the get_plugins.bsh script by Jaimie Levy. (This is get_plugins.zip in the downloads section of Volatility googlecode website).
- Ran the script in /usr/local/src. This installed Volatility + the plugins.
- Then installed the pkg python-dev using Synaptic Pkg Mgr on Ubuntu (System –> Administration –> Synaptic Package Manager)
perl -MCPAN -e shell
This installs Inline:: base module and other things.
Note that for some reason, I had to reinstall pydasm manually.
Next fire up Volatility and check the installed modules by specifying “--help” to get the list of loaded modules.
python volatility –help
Install MNIN updated plugins
The “Volatility Analyst Pack” is located at: http://mhl-malware-scripts.googlecode.com/files/vap-0.1.zip
This contains plugins not mentioned on the Volatility wiki.
Unzip the archive, then copy the modules to /usr/local/src/volatility/Volatility/memory_plugins (if that is where you have installed Volatility)
Install psscan3 plugin
This one is located through a moyix blog entry. See http://moyix.blogspot.com/2010/07/plugin-post-robust-process-scanner.html
The link to the plugin is: http://www.cc.gatech.edu/~brendan/volatility/dl/psscan3.py
This python module should be copied into /usr/local/src/volatility/Volatility/memory_plugins
Update the source code
The regripper plugins are found in the “rrplugin” directory. There are “macro” members that call the other individual plugins.
Some of these are commented out and should be made active. Edit the following files to remove the comments:
When finished try the following egrep command to ensure that everything is active:
egrep "^\#" ntuser sam security system software
Here is the output:
apihooks.py and usermode_hooks2.py
In the memory_plugins directory, update the apihooks.py, and usermode_hooks2.py plugins to comment out the following line:
The plugins are coded to dump out possibly infected modules, then to delete the entire directory containing these new dumped executables. The change above means that the dump directory will be preserved.
This is a snort-like virus scanner that looks for strings. Certain Volatility plugins use this.
Here is the reference: http://code.google.com/p/yara-project/
I couldn’t find many ready-made signatures for this tool. It is handy if you are searching for a specific signature across a number of modules.
If you want to install this, you first must install pcre. On Ubuntu, with the Synaptic Pkg Mgr, install:
Download yara-1.4a.tar.gz, then as root:
tar xvzf yara-1.4.tar.gz
Next install the yara-python extension (as root):
tar xvzf yara-python-1.4a.tar.gz
python setup.py build
python setup.py install
To get this working, I had to add /usr/local/lib to the loader config file (as root):
echo "/usr/local/lib" >> /etc/ld.so.conf
When you run Volatility, you shouldn’t see any error messages at the start :
python volatility --help
Most plugins (not all) are listed in the Forensics Wiki with a brief description:
Here is a list of the installed plugins: vol-cmds.txt
Moyix’s plugin page: http://www.cc.gatech.edu/~brendan/volatility/
Volatility Googlecode website: http://code.google.com/p/volatility/