How to Install Volatility 2.6 in Kali 2020.4

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.

Volatility GitHub

Volatility is no longer packaged with Kali in the 2020 releases, but can be manually installed. In this tutorial I will show you how to install Volatility 2.6 in Kali 2020.4. Unfortunately it relies on Python 2 dependencies and if you simply clone and run vol.py you will see an error similar to below:

┌──(kali㉿kali)-[~/volatility]
 └─$ vol.py   
 Volatility Foundation Volatility Framework 2.6.1
 *** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash)
 *** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash)
 *** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash)
 *** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
 *** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
 *** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)

As Volatility relies on certain Python 2 dependencies, we will need to install Python 2 Pip:

wget https://bootstrap.pypa.io/get-pip.py
sudo python2 get-pip.py
# upgrade setup tools to avoid "invalid command egg_info" error
pip2 install --upgrade setuptools
# install python-dev to avoid "x86_64-linux-gnu-gcc failed..." error
sudo apt-get install python-dev
Read more “How to Install Volatility 2.6 in Kali 2020.4”

Magnet Forensics Weekly CTF #11

Challenge 11 (Dec 14-21) – 20pts

What is the IPv4 address that myaccount.google.com resolves to?

To solve this question, I decided to try using bulk_extractor. I haven’t used this tool before but just learned about it from BakerStreetForensics’ Week 10 writeup. This is a powerful tool that can extract tons of information from an image. In this case I was interested in the generated PCAP file, in order to find DNS queries. For more information on bulk_extractor see the Kali Tools page.

Read more “Magnet Forensics Weekly CTF #11”

Magnet Forensics Weekly CTF #10

Challenge 10 (Dec 7 – 14) Part 1 – 15pts

*At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. * What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”

The netscan module in volatility will show an output similar to netstat. Here we can see local and remote addresses and their state. The one highlighted below is in an established state, and if we do a whois lookup on the IP it will come back as being owned by Google. Therefore the IP and port we’re after is 172.253.63.188:443.

[email protected]:~$ volatility -f memdump.mem --profile=Win7SP0x64 netscan
Volatility Foundation Volatility Framework 2.4
--- SNIPPED ---                                                                                                                                            
Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created              
0x13ec87cd0        TCPv4    192.168.10.146:54282           172.253.63.188:443   ESTABLISHED      -------- -------------- 
--- SNIPPED ---
[email protected]:~$ whois 172.253.63.188
 #
 ARIN WHOIS data and services are subject to the Terms of Use
 available at: https://www.arin.net/resources/registry/whois/tou/
 #
 If you see inaccuracies in the results, please report at
 https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
 #
 Copyright 1997-2020, American Registry for Internet Numbers, Ltd.
 #
 NetRange:       172.253.0.0 - 172.253.255.255
 CIDR:           172.253.0.0/16
 NetName:        GOOGLE
 NetHandle:      NET-172-253-0-0-1
 Parent:         NET172 (NET-172-0-0-0-0)
 NetType:        Direct Allocation
 OriginAS:       AS15169
 Organization:   Google LLC (GOGL)
 RegDate:        2013-04-04
 Updated:        2013-04-04
 Ref:            https://rdap.arin.net/registry/ip/172.253.0.0
Read more “Magnet Forensics Weekly CTF #10”

Magnet Forensics Weekly CTF #9

This week was a dive into the world of memory forensics. It’s a long one with lots of good questions. Let’s take a look at how to solve them.

Challenge 9 ( Nov 30 – Dec 7 ) Part 1 – 25pts

The user had a conversation with themselves about changing their password. What was the password they were contemplating changing too. Provide the answer as a text string.

Before we get too involved, lets find out more about the image and what profile we should be using:

[email protected]:~$ volatility -f ./memdump.mem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002c2a120L
          Number of Processors : 2
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002c2c000L
                KPCR for CPU 1 : 0xfffff88002f00000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2020-04-20 23:23:26 UTC+0000
     Image local date and time : 2020-04-20 19:23:26 -0400
Read more “Magnet Forensics Weekly CTF #9”

Magnet Forensics Weekly CTF #8

This week is the last of the Linux Hadoop image, and the questions are geared more towards incident response. I will be using Autopsy.

Challenge 8 (Nov. 23-30) Part 1

What package(s) were installed by the threat actor? Select the most correct answer!

Similar to last week, let’s start by looking at the APT logs in the master node located at /var/log/apt. The last entry in the history.log shows PHP being installed:

Start-Date: 2019-10-07  01:30:31
Commandline: apt install php
Install: php7.0-cli:amd64 (7.0.33-0ubuntu0.16.04.6, automatic), php-common:amd64 (1:35ubuntu6.1, automatic), php7.0-fpm:amd64 (7.0.33-0ubuntu0.16.04.6, automatic), php7.0-opcache:amd64 (7.0.33-0ubuntu0.16.04.6, automatic), php7.0:amd64 (7.0.33-0ubuntu0.16.04.6, automatic), php7.0-common:amd64 (7.0.33-0ubuntu0.16.04.6, automatic), php:amd64 (1:7.0+35ubuntu6.1), php7.0-json:amd64 (7.0.33-0ubuntu0.16.04.6, automatic), php7.0-readline:amd64 (7.0.33-0ubuntu0.16.04.6, automatic)
End-Date: 2019-10-07  01:30:41


This is a bit odd for a Hadoop cluster, and it’s also the last entry before the image was acquired, leading to believe this is the package we’re looking for. PHP is the correct answer.

Read more “Magnet Forensics Weekly CTF #8”