ComputerSecurityStudent (CSS) [Login] [Join Now]

|FORENSICS >> Volatility Framework >> Volatility 2.0 Framework >> Current Page |Views: 21980

(Volatility: Lesson 1)

{ Installing Volatility on BackTrack 5 R1 }

Section 0. Background Information
  1. Volatility Overview
    • The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

  2. Pre-Requisite Lesson
  3. Lab Notes
    • In this lab we will do the following:
      1. Download Volatility 2.0
      2. Un-Tar Volatility 2.0
      3. Test Volatility 2.0

  4. Next Lesson
  5. Capabilities
    • The Volatility Framework currently provides the following extraction capabilities for memory samples
      • Image date and time
      • Running processes
      • Open network sockets
      • Open network connections
      • DLLs loaded for each process
      • Open files for each process
      • Open registry handles for each process
      • A process' addressable memory
      • OS kernel modules
      • Mapping physical offsets to virtual addresses (strings to process)
      • Virtual Address Descriptor information
      • Scanning examples: processes, threads, sockets, connections, modules
      • Extract executables from memory samples
      • Transparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
      • Automated conversion between formats


Section 1: Login to BackTrack
  1. Start Up VMWare Player
    • Instructions:
      1. Click the Start Button
      2. Type Vmplayer in the search box
      3. Click on Vmplayer


  2. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings


  3. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button


  4. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine


  5. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.


  6. Bring up the GNOME
    • Instructions:
      1. Type startx


Section 2: Bring up a console terminal
  1. Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window


  2. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address
      • In your case, it will probably be different.


Section 3: Installing Volatility
  1. Move Old Volatility Instance
    • Instructions
      1. cd /pentest/forensics
      2. mv volatility volatility.OLD


  2. Download Volatility 2.0
    • Instructions
      1. wget --no-check-certificate
        • WGET is a non-interactive downloader.
      2. ls -l volatility-2.0.tar.gz


  3. Untar/Uncompress Volatility 2.0
    • Instructions
      1. tar zxovf volatility-2.0.tar.gz
    • Note(FYI)
      • tar, stores and extracts files from a tape or disk archive.
        • z(unzip when used with "x"), x(extract), o(keep ownerships), v(verbose), and f(specify archive file)


  4. Setup and Test Volatility
    • Instructions
      1. mv volatility-2.0 volatility
        • Move volatility 2.0 to the pre-existing volatility Directory
      2. cd volatility
      3. chmod 700
        • Give volatility World, Right and Execute User Permissions.
      4. ./ -h
        • Display the volatility help menu


Section 5: Proof of Lab
  1. Proof of Lab
    • Instructions
      1. md5sum
      2. date
      3. echo "Your Name"
        • Put in your actual name in place of "Your Name"
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press the <Ctrl> and <Alt> key at the same time.
      2. Press the <PrtScn> key.
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth