Tuesday, August 26, 2014

Forensic FOSS: 4n6k_volatility_installer.sh - Install Volatility For Linux Automatically

Introducing FORENSIC FOSS! These posts will consist of open source software for use in everyday forensic investigations.

[UPDATE #01 11/12/2015]: Volatility 2.5 was released recently. A standalone Linux executable is included with the 2.5 release. This installer is for Volatility 2.4. If you want to work with source code and get an idea of the dependencies needed by Volatility, review this installer's code. Otherwise, I'd recommend using the official Linux standalone executable. If you really want a working 2.5 installer update, see the fork of this project by @wzod).

What Is It?
4n6k_volatility_installer.sh is a bash script that installs Volatility 2.4 (and all dependencies) for Ubuntu Linux with one command.

Why Do I Need It?
Compiling source on Linux can be a pain. Dependency hunting wastes time and drives people away from considering Linux builds of cross-platform software. With this script, you can (1) skip all of the dependency frustration, (2) get right into using the newest version of Volatility, and (3) leverage the arguably more powerful and versatile *nix shell. No longer do you have to worry about whether or not you "have everything."

What's Required?
An internet connection and an APT-based Linux distribution [for the time being]. This script has been tested on stock Ubuntu 12.04 and Ubuntu 14.04. Some testing has been done to support SIFT Workstation 3.0.

What Does It Do?
Specifically, 4n6k_volatility_installer.sh does the following:
  • Downloads, verifies, extracts, and installs source archives for everything you will need to complete a full installation of Volatility 2.4:
    • Volatility 2.4
    • diStorm3
    • Yara (+ magic module) + Yara-Python
    • PyCrypto
    • Python Imaging Library + Library Fixes
    • OpenPyxl
    • IPython
    • pytz
  •  Adds "vol.py" to your system PATH so that you can run Volatility from any location.
  • Checks to see if you are using SIFT 3.0 and applies some fixes. 
How Do I Use It?
Volatility will be installed to the directory you specify.
  • From a terminal, run: 
    • sudo bash 4n6k_volatility_installer.sh /home/dan
In the above example, the following directories will be created:
  • /home/dan/volatility_setup 
    • Contains dependency source code and the install_log.txt file.
  • /home/dan/volatility_2.4
    • Contains the Volatility 2.4 install.
You must enter a full path for your install directory.
Where Can I Download It?
You can download the script from my Github page.

Check the Github page for the script's SHA256 hash.

Bottom Line?
Don't be afraid of the terminal. Read the source for this script and understand how it works. Automation is acceptable only after you understand what is happening behind the scenes.

I'm open to making this script better. If you see a problem with the code or can suggest improvements, let me know and I'll see what I can do.

Thanks to the Volatility team for writing an amazing tool. Go to http://www.volatilityfoundation.org for more info. Thanks to @The_IMOL, Joachim Metz, @dunit50, and @iMHLv2 for feedback.


Joachim Metz said...

FYI technically the script it is not FOSS since you did not give it a FOSS license.

Michael Hale Ligh said...

Nice job Dan! I'm sure this will really come in handy for a lot of people. We considered releasing pre-compiled Linux binaries of Volatility 2.4 (similar to the Windows and Mac standalone versions) but didn't get a chance to thoroughly test them. If you're interested in building or testing such a thing, let me know. I'll also run your script on some of my Linux machines and let you know how it goes.

Anonymous said...

@Joachim: You're right. The original repo had a GPLv2 license. When I re-created it, I forgot to add the license again. I'll find a way to add it.

@MHL: Thanks. I think that would be useful. I thought about making this work across different distros, but didn't want to pre-compile something, as it might be frowned upon by those who want to know exactly what's in the binary. I took this route so that people could look at the source and verify what was being downloaded and where it was coming from. That said, this only works on APT-based machines, as I wasn't sure which distros were worth covering. I know Ubuntu is often the distro of choice, so I decided to focus on that.

If you do decide to go the pre-compiled route, I could help test it.

Joachim Metz said...

Just add the GPLv2 license file to the repo and the source header

So a couple of issue you want to be wary of:
* check for the existence of any of the tools your script relies on, e.g. wget, apt-get
* Instead of: echo "/usr/local/lib" >> /etc/ld.so.conf, use /etc/ld.so.conf.d/volatility (or equiv)

Anonymous said...

@Joachim: Thanks for the pointers. I'll go ahead with those suggestions. It's extremely valuable to receive feedback from people who have been down this road many times before. There are some assumptions made in regard to what is already installed on the target machine, but I see the value in doing those checks. If there are any other best practices I am missing, please let me know.

Anonymous said...

nice tool bro - came in handy today...btw - welcome aboard - do u have a passport?

Anonymous said...

Thank's :)

Anonymous said...

Thanks :)
This was very helpful!

Post a Comment