ComputerSecurityStudent (CSS) [Login] [Join Now]




|FORENSICS >> Volatility Framework >> Volatility 2.0 Framework >> Current Page |Views: 22446

(Volatility: Lesson 1)

{ Installing Volatility on BackTrack 5 R1 }


Section 0. Background Information
  1. Volatility Overview
    • https://www.volatilesystems.com/
    • The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

  2. Pre-Requisite Lesson
  3. Lab Notes
    • In this lab we will do the following:
      1. Download Volatility 2.0
      2. Un-Tar Volatility 2.0
      3. Test Volatility 2.0

  4. Next Lesson
  5. Capabilities
    • The Volatility Framework currently provides the following extraction capabilities for memory samples
      • Image date and time
      • Running processes
      • Open network sockets
      • Open network connections
      • DLLs loaded for each process
      • Open files for each process
      • Open registry handles for each process
      • A process' addressable memory
      • OS kernel modules
      • Mapping physical offsets to virtual addresses (strings to process)
      • Virtual Address Descriptor information
      • Scanning examples: processes, threads, sockets, connections, modules
      • Extract executables from memory samples
      • Transparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
      • Automated conversion between formats

     

Section 1: Login to BackTrack
  1. Start Up VMWare Player
    • Instructions:
      1. Click the Start Button
      2. Type Vmplayer in the search box
      3. Click on Vmplayer

     

  2. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  3. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

     

  4. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  5. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  6. Bring up the GNOME
    • Instructions:
      1. Type startx

 

Section 2: Bring up a console terminal
  1. Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  2. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.112.
      • In your case, it will probably be different.

 

Section 3: Installing Volatility
  1. Move Old Volatility Instance
    • Instructions
      1. cd /pentest/forensics
      2. mv volatility volatility.OLD

     

  2. Download Volatility 2.0
    • Instructions
      1. wget --no-check-certificate https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/volatility/volatility-2.0.tar.gz
        • WGET is a non-interactive downloader.
      2. ls -l volatility-2.0.tar.gz

     

  3. Untar/Uncompress Volatility 2.0
    • Instructions
      1. tar zxovf volatility-2.0.tar.gz
    • Note(FYI)
      • tar, stores and extracts files from a tape or disk archive.
        • z(unzip when used with "x"), x(extract), o(keep ownerships), v(verbose), and f(specify archive file)

     

  4. Setup and Test Volatility
    • Instructions
      1. mv volatility-2.0 volatility
        • Move volatility 2.0 to the pre-existing volatility Directory
      2. cd volatility
      3. chmod 700 vol.py
        • Give volatility World, Right and Execute User Permissions.
      4. ./vol.py -h
        • Display the volatility help menu

     

Section 5: Proof of Lab
  1. Proof of Lab
    • Instructions
      1. md5sum vol.py
      2. date
      3. echo "Your Name"
        • Put in your actual name in place of "Your Name"
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press the <Ctrl> and <Alt> key at the same time.
      2. Press the <PrtScn> key.
      3. Paste into a word document
      4. Upload to Moodle

 



Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth