Sign in Subscribe

Volatility 3 Framework (v 1.0.0-beta.1) Requirements

Mike

1 min read

Very quick post, mostly notes for myself. When using Volatility 3 you might noticed that some plugins cannot be loaded

# ./vol.py -h
[...]
The following plugins could not be loaded (use -vv to see why): volatility.plugins.windows.cachedump, volatility.plugins.windows.callbacks, volatility.plugins.windows.hashdump,
volatility.plugins.windows.lsadump, volatility.plugins.windows.svcscan, volatility.plugins.windows.vadyarascan, volatility.plugins.windows.verinfo, volatility.plugins.yarascan

If you use -vv, you'll see a bunch of debug messages that are pretty clear, e.g. No module named 'yara' Seems simple enough, but I had to do just a bit of hunting. pip3 install yara caused errors, that's not the correct package. Turns out Volatility 3 is looking for yara-python. Instead of crypto, or even crypto-python, it wants pycrypto (of course). So then for pefile it must be pefile-python or pypefile right? Nope, that one actually is pefile...

pip3 install yara-python
pip3 install pycrypto
pip3 install pefile
pip3 install capstone

All plugins should load now. Enjoy.

Update 22 July 2021

I noticed today, after updating Volatility3, that I was getting errors on every memory image. Below is a sample:

user@host:~/volatility3$ python3 vol.py -f /mnt/c/memdump.mem windows.info.Info
Volatility 3 Framework 1.1.1
Progress:   85.95               Scanning primary using PdbSignatureScanner
Progress:   85.95               Scanning primary using PdbSignatureScanner
Progress:  100.00               PDB scanning finished
Unsatisfied requirement plugins.Info.nt_symbols: Windows kernel symbols

A symbol table requirement was not fulfilled.  Please verify that:
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.nt_symbols']

Turns out this is just something broken with Vol3. The git default branch is devlop. Check out the stable branch and everything seems to work fine: git clone --branch stable https://github.com/volatilityfoundation/volatility3

I also figured it was worth making an update to add capstone, an optional dependency, to the above list, and to correct a typo in the initial post. I originally said this was Volatility 3 v2[...], it should have been v1[...]. My bad.

Sign up for more like this.

Enter your email
Subscribe