Very quick post, mostly notes for myself. When using Volatility 3 you might noticed that some plugins cannot be loaded
# ./vol.py -h [...] The following plugins could not be loaded (use -vv to see why): volatility.plugins.windows.cachedump, volatility.plugins.windows.callbacks, volatility.plugins.windows.hashdump, volatility.plugins.windows.lsadump, volatility.plugins.windows.svcscan, volatility.plugins.windows.vadyarascan, volatility.plugins.windows.verinfo, volatility.plugins.yarascan
If you use -vv, you'll see a bunch of debug messages that are pretty clear, e.g.
No module named 'yara' Seems simple enough, but I had to do just a bit of hunting.
pip3 install yara caused errors, that's not the correct package. Turns out Volatility 3 is looking for
yara-python. Instead of
crypto, or even
crypto-python, it wants
pycrypto (of course). So then for
pefile it must be
pypefile right? Nope, that one actually is
pip3 install yara-python pip3 install pycrypto pip3 install pefile
All plugins should load now. Enjoy.