Full Dev Installation for Volatility 2.0

This guide is for people who want a full development installation of Volatility 2.0 (for example to write your own plugins or explore the source code). If you just want to quickly get started with using Volatility, there are standalone executables and installers available in the "downloads section".

• Full Dev Installation for Volatility 2.0
• Installation Prerequisites
• Windows Installation
• Python Installation
• Setting Environment Variables
• Installing Dependencies
• Installing MinGW
• Installing Pycrypto
• Installing Distorm3
• Installing Yara-Python 1.4a
• Installing TortoiseSVN
• Installing Volatility 2.0 from SVN
• Linux Installation
• Installing SVN and Basic Dependencies
• Linux: Installing Pycrypto
• Linux: Installing Distorm3
• Linux: Installing Yara 1.4 and Yara-Python 1.4a
• Linux: Installing Volatility 2.0 from SVN
• Linux: Installing the Malware Plugins

Installation Prerequisites

In order to use Volatility, you will need to install a few prerequisite programs and packages.

Prerequisites

• Python 2.6 or greater, but not Python 3.0 Python 2.6 will be used in this guide
• Distorm (Malware Plugins, Volshell)
• Yara (Malware Plugins)
• PyCrypto (Core)
• Subversion Client. We recommend TortoiseSVN for Windows
• 7zip or an application that can unzip zip and gzip files
• MinGW or other C Compiler (for compiling Pycrypto library)

Windows Installation

This covers how to install Volatility 2.0 on Windows.

Python Installation

In order to use Volatility, you must first install Python. You should get version 2.6 for Windows. When you download the file, double-click to install and you will see the following security message. Just click Run.

Choose the appropriate install options. Most likely you will want to install for all users on the machine:

The installer will ask you where you would like to install the Python files, the default under C:\Python26 should be fine:

The installer will then give you the option for more advanced install options. Unless you know what you are doing, it will be best to leave all options enabled:

On Vista/Windows7 you may have to confirm that you want to install:

Hit “Next” and Python will now install. Hit “Finish” when installation completes:

Setting Environment Variables

After Python is installed, you should make sure that the Python extensions are registered. If you have a regular start menu, click on start and then right click on “Computer” and choose properties. If you have the classic start menu, just right click on “My Computer” and choose properties.

If you have Windows 7 you will see the following screen. Choose "Advanced System Settings". You should see the following (some personal details removed):

Make sure you are on the "Advanced" tab and choose "Environmental Variables":

On the next screen find the "Path" variable and click "Edit":

Click on the text and scroll all the way to the end. Append the path of our Python installation to the end of the existing Path variable. Where it says “Variable Value” go to the end of the line and add the following:

;C:\Python26

The semicolon separates our new Path location from the current values. If the location of your Python installation is different from the above, type the appropriate folder location instead.

Now we are ready to test that we have set up everything correctly. Open a command prompt by clicking on the "Start Menu" and clicking on "Run". For Windows 7, click "Start" and type "cmd" in the search text box and hit "Enter":

Type "python" into the command prompt. You should then see the Python header and command prompt >>> Type "quit()" to exit. If this works, Python is installed correctly.

Installing Dependencies

Installing MinGW

Occasionally you will need a C/C++ compiler in order to install Python libraries. If you install Distorm3 or Pycrypto from source, you will need a compiler. Download the compiler from the Sourceforge site. Make sure you get the "ming-get-inst" installer as shown below:

Double click the installer. You should see the following picture. Hit Next to continue.

If you are running as Administrator you will see the following screen. Just hit Next.

You will have a choice to install the latest MinGW build or prepackaged binaries.

Accept the agreement.

Choose a location to install MinGW.

Keep accepting defaults until you get to the "Select Components" screen. Here you will need to make sure you have at least the C++ compiler checked as well as "MSYS Basic System" so you will have the "make" utility.

Hit Next. A black command prompt may appear as things are installing; just ignore it. If all goes well you will see the "Finish" screen. Just hit "Finish".

Add the "bin" directory of MinGW to your path like you did for Python. If you accepted the default installation directory the text to add would be:

;C:\MinGW\bin

You can test that this works by typing "gcc" plus "Enter" at the command line. You should see "gcc: no input files" if your path variable is set up correctly:

Installing Pycrypto

If you do not have a C compiler like MinGW installed, you can install a precompiled version of Pycrypto from www.voidspace.org.uk. If you installed MinGW as above you can install Pycrypto as follows.

To install from source, first go to the Pycrypto repository page. You can download a snapshot as a gzip file:

If you have 7zip installed, right click on the downloaded file and choose open 7zip->Open Archive:

Double click the tar file inside and click the "Extract" button.

Choose a location to extract the folder to:

Once the folder is extracted, open the command prompt and change directory into that folder. In this case, the folder was extracted onto the Desktop, so the command issued is:

cd Desktop\pycrypto-2.0.x

Once inside you can issue a "dir" command to make sure you have all the files, including "setup.py"

Type the following commands to install (wait until the first one finishes before typing the second one):

python setup.py build -c mingw32
python setup.py install

As long as you don't see any errors Pycrypto should be installed correctly.

Installing Distorm3

Distorm3 is used by several Malware plugins as well as the Core Volshell plugin. It's easiest to install the precompiled library for Python 2.6, which is the method shown here. Go to the Distorm Google Code page and download the distorm3-1.0.win32.zip which contains the library for Python 2.6. Unzip the file and navigate into the Python26\Lib\site-packages directory:

Copy all contents into your Python 2.6 library location, in this case C:\Python26\Lib\site-packages

You can check the installation by running python and importing distorm3. If you don't see any errors, distorm3 was installed correctly.

Installing Yara-Python 1.4a

Download the appropriate yara-python-1.4a.win32-py2.X.exe Windows installer. In this guide we will use yara-python-1.4a.win32-py2.6.exe. Double click the installer and click Next.

The installer should pick up your Python installation. If you have more than version of Python installed, choose the installation you will be using for Volatility.

Accept all defaults, hitting Next until complete. As long as there are no errors shown installation should be successful. You an always verify by running Python and typing "import yara"

Installing TortoiseSVN

In order to get the source code for Volatility 2.0 from the repository, you will need a Subversion (SVN) client. You can download the client from http://tortoisesvn.net/downloads.html. Make sure to choose the correct installer:

Double click the installer and keep hitting next. Accept all defaults and accept the user agreement. Hit "Finish" when the installation completes.

You will be asked to restart your computer after TortoiseSVN is installed.

After restarting, you can verify that TortoiseSVN is installed correctly by right-clicking on the Desktop. If it is installed, you will see it in the menu:

Installing Volatility 2.0 from SVN

Once you have a Subversion client installed, you can download the latest source code for Volatility 2.0 from the code repository. This guide will use TortoiseSVN. First create a folder where you want to keep the Volatility source code. For this guide we will create a folder "C:\Volatility 2.0". Go inside this folder and right-click, bringing up the menu options for TortoiseSVN. Choose "SVN Checkout":

Type the following url for the repository:

http://volatility.googlecode.com/svn/trunk

All other defaults should be fine, click OK. When the repository is finished downloading click OK to close out.

You should then see all the Volatility source code in the folder.

To use Volatility, open a command line and navigate to the Volatility source directory. In this case:

cd "c:\Volatility 2.0"

Then type:

python vol.py -h

You should see a long list of output that includes all of the plugins that are available. For more information on how to use Volatility check out BasicUsage and CommandReference.

Linux Installation

This covers how to install Volatility 2.0 on Linux

Installing SVN and Basic Dependencies

Luckily installation is a bit easier for Linux. You will need to install Subversion and libpcre in addition to the dependencies listed above. These should be available in your distribution's repository. For example on Ubuntu (as root):

# apt-get install subversion pcregrep libpcre++-dev python-dev -y 

For Fedora/Redhat you can use yum to install the appropriate packages.

Linux: Installing Pycrypto

You have to install PyCrypto, since it is a requirement for core code. You can download the latest source from the pycrypto website or you can find it in your Linux distribution repository. The following commands will install this library from source on Ubuntu (you must be root to install):

$ wget http://gitweb.pycrypto.org/\?p=crypto/pycrypto-2.0.x.git\;a=snapshot\;h=9e9641d0a9b88f09683b5f26d3b99c4a2e148da5\;sf=tgz -O pycrypto.tgz

# tar -xzvf pycrypto.tgz
# cd pycrypto-2.0.x/
# python setup.py build
# python setup.py build install

Linux: Installing Distorm3

For some of the malware plugins and the volshell plugin, you will need Distorm3. The following commands will install Distorm3 from source (you must be root to install):

# wget http://distorm.googlecode.com/files/distorm3-1.0.zip
# unzip distorm3-1.0.zip
# cd distorm3-1.0
# python setup.py build
# python setup.py build install

Linux: Installing Yara 1.4 and Yara-Python 1.4a

For some of the malware plugins you will need to install Yara. The following commands will install Yara and Yara-python from source (you must be root to install):

For Yara:

# wget http://yara-project.googlecode.com/files/yara-1.4.tar.gz
# tar -xvzf yara-1.4.tar.gz
# cd yara-1.4
# ./configure
# make
# make install

For Yara-python

# wget http://yara-project.googlecode.com/files/yara-python-1.4a.tar.gz
# tar -xvzf yara-python-1.4a.tar.gz
# cd yara-python-1.4a
# python setup.py build
# python setup.py build install

If you are on Ubuntu you will need to also run the following commands:

# echo "/usr/local/lib" >> /etc/ld.so.conf
# ldconfig

Linux: Installing Volatility 2.0 from SVN

All you need to do to get download the Volatility 2.0 source code is run the following command:

$ svn checkout http://volatility.googlecode.com/svn/trunk Volatility

All code will be located in Volatility

To update your repository later you can run the following command from inside the trunk directory:

$ svn update

Linux: Installing the Malware Plugins

Change into your Volatility/volatility/plugins directory and run the following command:

$ wget http://malwarecookbook.googlecode.com/svn/trunk/malware.py

Go into your Volatility directory and type

$ python vol.py -h

To help automate this, you can run the new get_plugins script (only tested on Ubuntu and Mac OSX with Macports installed).

You should see a long list of output that includes all of the plugins that are available. For more information on how to use Volatility check out BasicUsage and CommandReference.