Installing Volatility on Windows

I recently had the need to run Volatility from a Windows operating system and ran into a couple issues when trying to analyze memory dumps from the more recent versions of Windows 10.

Volatility uses profiles to handle differences in data structures between Operating Systems.  There are changes in these data structures between some builds of Windows 10 that are significant enough to cause certain plugins to fail or return incomplete and unreadable results.

Compiled versions of Volatility are available on https://www.volatilityfoundation.org/releases. These releases contain all the required dependencies and don’t require any installation but they don’t contain the latest profiles. We can verify this if we download and run the compiled Windows release with the –info switch to display the available profiles.  Those of you that are familiar with Windows build numbers will note that we are missing the following builds: 15063, 16299, 17134, and 17763. volatilty-compiled-profiles

Installation

To get the latest profiles, we need to install Volatility using the source code files. These utilize Python and will also require some dependencies to be installed for all plugins to work.  Also, I’d like to point out that while these instructions are for Windows, the same principle applies to installing on other Operating Systems. For additional details, I highly recommend you take a look at the Installation page on the Volatility Github. This provides links for all the dependencies and explains what functionality they provide.

  1. Download and install Python 2.7. (The Volatility setup script doesn’t currently support Python 3). **Make sure to enable the option to add Python to Path during the installation as shown below.**
    Python_SetPath
  2. Download the Volatility source code archive and extract files
  3. Open a command prompt, navigate to the location you extracted the Volatility source to and run “setup.py install”
    Volatility_setup
  4. If we run “vol.py -h” at this point, we will get an error indicating that several dependencies are not installed.  Use the links and commands below to install the following dependencies.
    • diStorm3: Download from https://github.com/gdabah/distorm/releases and run the executable to install
      distrom_binaries
    • pyCrypto: I had some issues with installing pyCrypto. The install link on the Volatility Github for the pyCrypto binaries is the easiest install method but it stopped working shortly before this posting. I’ll leave it up in case it’s a temporary issue. If not, we can use pip to install but will need to install the Microsoft C++ Compiler for Python 2.7 prior to doing so.
    • Yara: https://www.dropbox.com/sh/umip8ndplytwzj1/AADdLRsrpJL1CM1vPVAxc5JZa?dl=0&lst=
      I know the dropbox link seems sketchy but that’s where the Volatility Github points to when selecting the option for binary installers. There are several options on this page. Make sure to select one of the py2.7.exe options. Once downloaded, run the executable to install.
      Yara_dropbox
    • openpyxl: There are no compiled Windows binaries so we will install by running “pip install openpyxl” from the command line
    • ujson: There is no compiled binary installer for this one either so we will use PIP to install here too: “pip install ujson”
      pip_openpyxl_ujson

There is one other dependency listed for Volatility which is the Python Imaging Library (PIL). This gives Python the ability to process images an graphics. I was unable to install this and it wasn’t a capability I needed in Volatility so I chose to leave it out.

So that’s it. Now if we run “vol.py –info” we can see the newer profiles are listed.Volatility-profiles_source

We can get started with Volatility by running “vol.py -h” from the command line to see the syntax.
volatility_help
The SANS Memory Forensics Cheat Sheet is also a great resource if you need help getting started on Memory Forensics commands.
https://digital-forensics.sans.org/media/volatility-memory-forensics-cheat-sheet.pdf

Finally – I need to say thanks here to Richard Davis and his 13Cubed YouTube channel. Richard has a ton of great videos, one of which covers this profile issue on SIFT Workstation and Kali Linux.  I watched this several months ago and when I ran into the Windows issue, I knew the cause right away thanks to him.  Here’s the video if you are interested.

I hope this is helpful and if you have any questions or comments feel free to reach out.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s