Volatility is a powerful memory forensics tool. This guide will show you how to install Volatility 2 and Volatility 3 on Debian and Debian-based Linux distributions, such as Ubuntu and Kali Linux.
With Volatility, you can read memory/RAM captures and determine all sorts of things about the state of a system when the memory capture was made, including, but not limited to:
Unfortunately, most of these features/plugins only apply to memory captures of systems running Windows.
Volatility 2 is written for Python 2. Python 2 reached End of Life (EOL) in 2020. Volatility 3 is written for Python 3, and is much faster. However, Volatility 3 currently does not have anywhere near the same number of plugins/features as Volatility 2, so is is best to install both versions side-by-side and use whichever version is best suited for a particular task, which for now is most likely Volatility 2.
sudo apt install -y build-essential git libdistorm3-dev yara libraw1394-11 libcapstone-dev capstone-tool tzdata
sudo apt install -y python2 python2.7-dev libpython2-dev
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py
sudo python2 get-pip.py
sudo python2 -m pip install -U setuptools wheel
To install system-wide for all users, use the sudo
command in front of the python2
commands.
python2 -m pip install -U distorm3 yara pycrypto pillow openpyxl ujson pytz ipython capstone
sudo python2 -m pip install yara
sudo ln -s /usr/local/lib/python2.7/dist-packages/usr/lib/libyara.so /usr/lib/libyara.so
python2 -m pip install -U git+https://github.com/volatilityfoundation/volatility.git
sudo apt install -y python3 python3-dev libpython3-dev python3-pip python3-setuptools python3-wheel
To install system-wide for all users, use the sudo
command in front of the python3
commands.
python3 -m pip install -U distorm3 yara pycrypto pillow openpyxl ujson pytz ipython capstone
python3 -m pip install -U git+https://github.com/volatilityfoundation/volatility3.git
Installing Volatility as a user instead of as root
allows you to install Volatility and its dependencies without polluting your system’s Python environment. Installed commands are not in your PATH
by default, so if you try running vol.py
(Volatility 2) or vol
/volshell
(Volatility 3) in your shell, the command will not be found.
To fix this you need to add /home/username/.local/bin
to your the PATH
, replacing username
with your actual username. The process for doing this varies, depending which shell you are using.
bash
shell. If not, type bash
and hit enterusername
with your actual username)echo 'export PATH=/home/username/.local/bin:$PATH' >> ~/.bashrc
. ~/.bashrc
fish
shell. If not, type fish
and hit enterusername
with your actual username)mkdir -p ~/.config/fish
echo 'set -x PATH /home/username/.local/bin $PATH' >> ~/.config/fish/config.fish
. ~/.config/fish/config.fish
ksh
or sh
shell. If not, type ksh
or sh
and hit enterusername
with your actual username)echo 'export PATH=/home/username/.local/bin:$PATH' >> ~/.profile
. ~/.profile
zsh
shell. If not, type zsh
and press enterusername
with your actual username)echo 'export PATH=/home/username/.local/bin:$PATH' >> ~/.zshrc
. ~/.zshrc
This post was last modified on October 6, 2021 6:59 pm
View Comments
Thanks for taking the time on this , much appreciated.
Thank you so much! You have helped me solve my problem :)
I have installed both volatility2 and volatility3 using sudo in front of the "python2 -m pip install" and "python3 -m pip install" commands so that volatility is installed for all users. I am able to call volatility2 by typing "vol.py" at the shell, but I don't know how to call volatility 3. Could you help me please. Thank you.
vol
volshell
vol.py
Thank you for this tutorial. I am now up and running with both Volatility versions. I find that Volatility 3 is well developed for Windows plugins, but very lacking for Linux plugins. Is there a reason for that? Is it because Volatility 2 is good enough for Linux systems?
Great tutorial - Installed both Vol 2 and Vol 3 on Kali 2022.2, whereas Vol 2 works like a charm while Vol 3 is somehow acting up and returning following messages:
┌──(kali㉿kali)-[~]
└─$ vol -f exam-sim-2.mem kdbgscan
Volatility 3 Framework 2.2.0
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS]
[-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE] [--write-config]
[--save-config SAVE_CONFIG] [--clear-cache] [--cache-path CACHE_PATH] [--offline]
[--single-location SINGLE_LOCATION] [--stackers [STACKERS ...]]
[--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]]
plugin ...
volatility: error: argument plugin: invalid choice kdbgscan (choose from banners.Banners, configwriter.ConfigWriter, frameworkinfo.FrameworkInfo, isfinfo.IsfInfo, layerwriter.LayerWriter, linux.bash.Bash, linux.check_afinfo.Check_afinfo, linux.check_creds.Check_creds, linux.check_idt.Check_idt, linux.check_modules.Check_modules, linux.check_syscall.Check_syscall, linux.elfs.Elfs, linux.keyboard_notifiers.Keyboard_notifiers, linux.kmsg.Kmsg, linux.lsmod.Lsmod, linux.lsof.Lsof, linux.malfind.Malfind, linux.mountinfo.MountInfo, linux.proc.Maps, linux.psaux.PsAux, linux.pslist.PsList, linux.pstree.PsTree, linux.tty_check.tty_check, mac.bash.Bash, mac.check_syscall.Check_syscall, mac.check_sysctl.Check_sysctl, mac.check_trap_table.Check_trap_table, mac.ifconfig.Ifconfig, mac.kauth_listeners.Kauth_listeners, mac.kauth_scopes.Kauth_scopes, mac.kevents.Kevents, mac.list_files.List_Files, mac.lsmod.Lsmod, mac.lsof.Lsof, mac.malfind.Malfind, mac.mount.Mount, mac.netstat.Netstat, mac.proc_maps.Maps, mac.psaux.Psaux, mac.pslist.PsList, mac.pstree.PsTree, mac.socket_filters.Socket_filters, mac.timers.Timers, mac.trustedbsd.Trustedbsd, mac.vfsevents.VFSevents, timeliner.Timeliner, windows.bigpools.BigPools, windows.cachedump.Cachedump, windows.callbacks.Callbacks, windows.cmdline.CmdLine, windows.crashinfo.Crashinfo, windows.devicetree.DeviceTree, windows.dlllist.DllList, windows.driverirp.DriverIrp, windows.driverscan.DriverScan, windows.dumpfiles.DumpFiles, windows.envars.Envars, windows.filescan.FileScan, windows.getservicesids.GetServiceSIDs, windows.getsids.GetSIDs, windows.handles.Handles, windows.hashdump.Hashdump, windows.info.Info, windows.ldrmodules.LdrModules, windows.lsadump.Lsadump, windows.malfind.Malfind, windows.mbrscan.MBRScan, windows.memmap.Memmap, windows.modscan.ModScan, windows.modules.Modules, windows.mutantscan.MutantScan, windows.netscan.NetScan, windows.netstat.NetStat, windows.poolscanner.PoolScanner, windows.privileges.Privs, windows.pslist.PsList, windows.psscan.PsScan, windows.pstree.PsTree, windows.registry.certificates.Certificates, windows.registry.hivelist.HiveList, windows.registry.hivescan.HiveScan, windows.registry.printkey.PrintKey, windows.registry.userassist.UserAssist, windows.sessions.Sessions, windows.skeleton_key_check.Skeleton_Key_Check, windows.ssdt.SSDT, windows.statistics.Statistics, windows.strings.Strings, windows.symlinkscan.SymlinkScan, windows.vadinfo.VadInfo, windows.verinfo.VerInfo, windows.virtmap.VirtMap)
Unfortunately I can't make much sense out of it, any hint what might be missing or where I might need to look into?