How to Install Volatility 2.6 in Kali 2020.4

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.

Volatility GitHub

Volatility is no longer packaged with Kali in the 2020 releases, but can be manually installed. In this tutorial I will show you how to install Volatility 2.6 in Kali 2020.4. Unfortunately it relies on Python 2 dependencies and if you simply clone and run vol.py you will see an error similar to below:

┌──(kali㉿kali)-[~/volatility]
 └─$ vol.py   
 Volatility Foundation Volatility Framework 2.6.1
 *** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash)
 *** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash)
 *** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash)
 *** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
 *** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
 *** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)

As Volatility relies on certain Python 2 dependencies, we will need to install Python 2 Pip:

wget https://bootstrap.pypa.io/get-pip.py
sudo python2 get-pip.py
# upgrade setup tools to avoid "invalid command egg_info" error
pip2 install --upgrade setuptools
# install python-dev to avoid "x86_64-linux-gnu-gcc failed..." error
sudo apt-get install python-dev

Now that pip2 is installed, we can use it to get the Volatility dependencies:

pip2 install pycrypto
pip2 install distorm3

If you’re using it temporarily, you can simply clone the repo and run vol.py. Otherwise, you can run the python installer:

git clone https://github.com/volatilityfoundation/volatility
cd volatility
sudo python setup.py install

Once the install is complete, you can verify by running vol.py in any context:

┌──(kali㉿kali)-[~]
 └─$ vol.py -h
 Volatility Foundation Volatility Framework 2.6.1
 Usage: Volatility - A memory forensics analysis platform.

The install script will place the plugins directory to /usr/local/contrib/plugins

Leave a Reply

Your email address will not be published. Required fields are marked *