Howto install Volatility (RAM / Memory Forensic Framework) in Windows

Submitted by rex on Sun, 02/28/2010 - 18:14

1. Download Python

http://www.python.org/download/

I have installed Python 2.6.4 in Windows 7, 64 Bit Edition.

Open a windows shell and add Python to your Windows path with

PATH=%PATH%;C:\Python26

If you installed Python somewhere else change 'C:\Python26' with your path.

2. Download Volatility Framework

https://www.volatilesystems.com/volatility/1.3/Volatility-1.3_Beta.zip

and extract it to d:\Forensic\Tools\Volatility

3. Test Volatility

d:\Forensic\tools\Volatility>python volatility pslist -f d:\Forensic data\ramdump2.dd

Name                 Pid    PPid   Thds   Hnds   Time
System               4      0      48     226    Thu Jan 01 00:00:00 1970
smss.exe             512    4      3      21     Sat Feb 27 11:37:09 2010
csrss.exe            576    512    10     302    Sat Feb 27 11:37:09 2010
winlogon.exe         600    512    19     428    Sat Feb 27 11:37:09 2010
services.exe         644    600    18     271    Sat Feb 27 11:37:09 2010
lsass.exe            656    600    23     302    Sat Feb 27 11:37:09 2010
VBoxService.exe      812    644    4      75     Sat Feb 27 11:37:09 2010
svchost.exe          856    644    9      186    Sat Feb 27 11:37:09 2010
svchost.exe          956    644    67     985    Sat Feb 27 11:37:09 2010
svchost.exe          1092   644    5      46     Sat Feb 27 11:37:10 2010
svchost.exe          1112   644    14     127    Sat Feb 27 11:37:10 2010
spoolsv.exe          1316   644    13     116    Sat Feb 27 11:37:10 2010
explorer.exe         1884   1856   11     231    Sat Feb 27 11:37:24 2010
msiexec.exe          288    644    5      91     Sat Feb 27 11:37:28 2010
VBoxTray.exe         472    1884   7      45     Sat Feb 27 11:37:30 2010
ctfmon.exe           480    1884   1      60     Sat Feb 27 11:37:30 2010
mdd_1.3.exe          1880   956    1      25     Sat Feb 27 11:40:59 2010

Add new comment