Memory Forensics
With Volatility3
Hello, World! In this article, I will be showing you how to setup Volatility3 on Linux (and technically on Windows as well if you’ve enabled Windows Subsystem for Linux!) and how to perform introductory memory forensics utilizing Volatility3, which is currently in beta mode. The Volatility3 version I am using for this tutorial is 1.2.1. The memory samples I will be utilizing can be downloaded from the TryHackMe room, Forensics, by Whiteheart (I chose this sample because it the only memory sample that I have found that works perfectly with Volatility3, as it is still in beta mode). Disclaimer: I literally began working with memory forensics about a week ago so I am by no means an expert in this area. But I guess you can still learn something useful from this article.
Volatility3 Installation
To make installation simpler, I created a Bash script to install and setup Volatility3. The script installs Python’s package manager, if it isn’t already installed, and also installs all the necessary Python packages for full functionality of the current version of Volatility3. Run the following commands to execute the installation script:
wget https://gist.githubusercontent.com/binexisHATT/2cbf50e6308140db4017a274fc1ce9ba/raw/e9f86718168876a3d5c42c9077933e71bf1ad4f4/volatility3_install.sh