Volatility framework

The Volatility framework is a set of tools for memory forensics used for malware analysis, threat hunting, and extracting valuable information from RAM. Current versions need Python 2 to be installed. Python 3 support is under development, but few of the useful plugins have been ported so far.

The requirement for Python 2 can be problematic on recent editions of Ubuntu because it is no longer maintained as of January 2020. The steps below should get you a working installation of Volatility on Ubuntu 20.04, which is the latest version at the time of writing.

Installation steps

  1. Upgrade the system.
user@host:~$ sudo apt update && sudo apt full-upgrade -y
  1. Install additional tools. Not all are strictly required but this is good starting point.
user@host:~$ sudo apt install -y python2 python-dev dwarfdump build-essential yara zip
  1. Install pip2 - you need to do it this way on Ubuntu 20.04.
user@host:~$ curl https://bootstrap.pypa.io/get-pip.py --output get-pip.py
user@host:~$ sudo python2 get-pip.py
  1. Install pip modules. distorm v3.5.0 causes issues with Volatility; see this GitHub issue.
user@host:~$ sudo pip2 install pycrypto yara-python distorm3==3.4.4
  1. Download and set up latest version of Volatility 2.
user@host:~$ git clone https://github.com/volatilityfoundation/volatility.git
user@host:~$ cd volatility/
user@host:~/volatility$ sudo python2 setup.py install
  1. Check Volatility is working. You should not get any errors.
user@host:~/volatility$ sudo vol.py --info

Optional extras

  1. Build a custom profile. See this great reference blog.
user@host:~$ cd ~/volatility/tools/linux/ && make
user@host:~/volatility/tools/linux$ zip $(lsb_release -i -s)_$(uname -r)_profile.zip ./module.dwarf /boot/System.map-$(uname -r)
  1. Install the custom profile. Replace the Volatility version number in the destination path with the version you cloned.
user@host:~/volatility/tools/linux$ sudo mv $(lsb_release -i -s)_$(uname -r)_profile.zip /usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/overlays/linux/
  1. Perform a memory dump on this system.
user@host:~$ wget https://github.com/microsoft/avml/releases/download/v0.2.0/avml-minimal
user@host:~$ chmod +x avml-minimal
user@host:~$ sudo ./avml-minimal memory_dump.lime
  1. Forensicate the memory dump. Use the appropriate profile (which you may have just created).
user@host:~/volatility$ sudo vol.py -f ~/memory_dump.lime --profile=LinuxUbuntu_5_4_0-42-generic_profilex64 linux_pstree