How to install Volatility on Ubuntu 20.04

Sep 04, 2024

Hi I’m Nik, welcome to That Cyber Trainer!

Every Monday I post personal experiences/research and Every Wednesday post an issue of CyBytes, a series where I breakdown security concepts, techniques tools in a no fluff easy to digest email!

Subscribe if you haven’t already!

What is Volatility?

Volatility is a tool that helps you analyze memory from a computer. It works by taking a snapshot of a computer's memory and then letting you dig through that snapshot to find useful information. This information can be used to figure out what a computer was doing at a certain point in time or to find evidence of malicious activity.

One of the benefits of Volatility is that it can help you find information that might not be available through other means. For example, if a hacker has deleted important files from a computer, Volatility might still be able to find traces of those files in the computer's memory.

Another benefit of Volatility is that it can be used to analyze memory from a wide variety of operating systems, including Windows, Linux, and Mac OS. This makes it a very versatile tool that can be used in a variety of different situations.

Finally, Volatility is open-source and free to use, which makes it accessible to everyone. This means that anyone can use it, regardless of their budget.

How do I install Volatility on Ubuntu?

1. First, make sure that all your system packages are up-to-date by running the following apt commands in the terminal.

sudo apt update sudo apt upgrade sudo apt install git

2. Installing Python.

Run the following command to install Python and other required packages dependency:

sudo apt install python2.7 python3-pip python-setuptools build-essential python-dev-is-python2

3. Installing Distorm.

Next, we use pip modules to install Distorm 3:

sudo pip install distorm3==3.4.4

4. Installing Volatility on Ubuntu 20.04.

To install you can simply clone the Git repository of Volatility:

git clone https://github.com/volatilityfoundation/volatility.git

Make this newly cloned file executable:

chmod +x volatility/vol.py

Next, move volatility on /opt directory and create a symlink to make it globally available:

sudo mv volatility /opt sudo ln -s /opt/volatility/vol.py /usr/bin/vol.py

5. Test.

Finally, check Volatility is working. :

vol.py --info

NOTE: you may see a lot of errors like this

[..] ( ImportError : No module named Crypto.Hash)

This error occurs when PyCrypto is not installed. This is a library that is used by some of the registry plugins like lsadump. You will see this error message when using any of the plugins, however. If you are not using lsadump, hashdump or any other registry plugin that uses PyCrypto, then you can safely ignore the error message. Otherwise, install PyCrypto and the message will disappear.

pip install pycrypto