ComputerSecurityStudent (CSS)

[Login]

[Join Now]

|FORENSICS >> Volatility Framework >> Volatility 2.0 Framework >> Current Page

|Views: 22534

(Volatility: Lesson 1)

{ Installing Volatility on BackTrack 5 R1 }

Section 0. Background Information

Volatility Overview
- https://www.volatilesystems.com/
- The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
Pre-Requisite Lesson
- BackTrack: Lesson 1: Installing BackTrack 5 R1
Lab Notes
- In this lab we will do the following:
  1. Download Volatility 2.0
  2. Un-Tar Volatility 2.0
  3. Test Volatility 2.0
Next Lesson
- Helix: Lesson 4: Dump Window's Physical Memory Using NetCat to BackTrack
Capabilities
- The Volatility Framework currently provides the following extraction capabilities for memory samples
  - Image date and time
  - Running processes
  - Open network sockets
  - Open network connections
  - DLLs loaded for each process
  - Open files for each process
  - Open registry handles for each process
  - A process' addressable memory
  - OS kernel modules
  - Mapping physical offsets to virtual addresses (strings to process)
  - Virtual Address Descriptor information
  - Scanning examples: processes, threads, sockets, connections, modules
  - Extract executables from memory samples
  - Transparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
  - Automated conversion between formats

Section 1: Login to BackTrack

Start Up VMWare Player
- Instructions:
  1. Click the Start Button
  2. Type Vmplayer in the search box
  3. Click on Vmplayer
Edit the BackTrack5R1 VM
- Instructions:
  1. Select BackTrack5R1 VM
  2. Click Edit virtual machine settings
Edit Virtual Machine Settings
- Instructions:
  1. Click on Network Adapter
  2. Click on the Bridged Radio button
  3. Click on the OK Button
Play the BackTrack5R1 VM
- Instructions:
  1. Click on the BackTrack5R1 VM
  2. Click on Play virtual machine
Login to BackTrack
- Instructions:
  1. Login: root
  2. Password: toor or <whatever you changed it to>.
Bring up the GNOME
- Instructions:
  1. Type startx

Section 2: Bring up a console terminal

Start up a terminal window
- Instructions:
  1. Click on the Terminal Window
Obtain the IP Address
- Instructions:
  1. ifconfig -a
- Note(FYI):
  - My IP address 192.168.1.112.
  - In your case, it will probably be different.

Section 3: Installing Volatility

Move Old Volatility Instance
- Instructions
  1. cd /pentest/forensics
  2. mv volatility volatility.OLD
Download Volatility 2.0
- Instructions
  1. wget --no-check-certificate https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/volatility/volatility-2.0.tar.gz
    - WGET is a non-interactive downloader.
  2. ls -l volatility-2.0.tar.gz
Untar/Uncompress Volatility 2.0
- Instructions
- Note(FYI)
Setup and Test Volatility
- Instructions

Section 5: Proof of Lab

Proof of Lab
- Instructions
  1. md5sum vol.py
  2. date
  3. echo "Your Name"
    - Put in your actual name in place of "Your Name"
    - e.g., echo "John Gray"
- Proof of Lab Instructions
  1. Press the <Ctrl> and <Alt> key at the same time.
  2. Press the <PrtScn> key.
  3. Paste into a word document
  4. Upload to Moodle