WEBVTT

00:00.560 --> 00:08.450
The volatility framework is an open source, cross-platform incident response framework that comes with

00:08.450 --> 00:14.780
many useful plugins that provide the investigator with a wealth of information from a snapshot of a

00:14.780 --> 00:18.500
memory also known as Memory Dump.

00:18.530 --> 00:25.310
The concept of volatility has been around for a decade, and apart from analyzing, running and hidden

00:25.310 --> 00:29.810
processes, it's also very popular choice for a malware analysis.

00:29.810 --> 00:36.860
So to create a memory dump, you need a several tools that we did in previous lectures like a Well-conserved

00:36.860 --> 00:47.780
ramp capture, FTK imager, DDC, 3D, sane computer aided Investigate Environment, Helix and Linux

00:47.780 --> 00:50.630
Memory Extractor named as Lime.

00:50.630 --> 00:58.370
So these tools can be used to acquire the memory, image or memory dump and then be investigated and

00:58.370 --> 01:01.400
analyzed by the tools within a volatility framework.

01:01.410 --> 01:10.170
And so volatility framework can be run on any operating system, both 32 bit or 64 bit.

01:10.170 --> 01:17.880
So the and the any operating system that supports Python, so including the Windows XP seven eight,

01:17.910 --> 01:29.580
8.1 and Windows 10 11 Windows servers Linux like almost all Linux starting from 2.6. 11 and like newer

01:29.580 --> 01:35.760
Linux here you it you can also run the volatility framework in Mac OS.

01:35.760 --> 01:48.540
So volatility supports several dumps dump formats both 32 bit and 64 bit, including the Windows crash

01:48.540 --> 01:51.060
and hibernation dumps.

01:51.930 --> 01:56.700
For the Windows 7 and earlier.

01:59.230 --> 02:04.180
It also supports the VMware that VM dumps.

02:04.390 --> 02:07.000
It also supports the virtual box dump.

02:07.330 --> 02:12.280
VirtualBox dumps VirtualBox core dumps.

02:12.430 --> 02:16.870
It also supports the VMware saved State.

02:18.010 --> 02:24.040
The named that VM, SS and vm sn here.

02:26.330 --> 02:30.020
It also supports the raw physical memory.

02:32.230 --> 02:32.950
Memory.

02:32.980 --> 02:33.430
Name.

02:34.750 --> 02:38.200
It also supports the QEMU.

02:39.100 --> 02:44.410
This means this actually means the quick emulator qemu.

02:46.240 --> 02:47.110
Firewall.

02:48.440 --> 02:49.490
H pack.

02:50.580 --> 03:00.240
And like direct physical memory dump over in 1394 FireWire wire here.

03:00.360 --> 03:09.930
So volatility even allows for a conversion between these formats and both of being able to accomplish

03:09.930 --> 03:12.030
everything similar tools can.

03:12.180 --> 03:19.830
So you can download the volatility from the internet, from GitHub, its official GitHub here.

03:20.980 --> 03:22.240
Let's open here.

03:22.600 --> 03:26.260
Okay, so volatility GitHub.

03:27.650 --> 03:31.190
Here bottle the foundation volatility.

03:31.400 --> 03:32.420
So.

03:36.500 --> 03:37.070
Here.

03:43.050 --> 03:48.300
So there is the memory samples that you can use here.

03:49.480 --> 03:52.570
Memory samples.

03:54.240 --> 03:55.010
Okay.

03:55.010 --> 04:01.550
And you can also download the volatility distribution from the, uh, official website, the downloads.

04:02.370 --> 04:04.200
Here, click on downloads.

04:24.280 --> 04:24.790
Yeah.

04:25.210 --> 04:28.840
You can also download volatility tree or volatility to.

04:39.770 --> 04:40.880
In this case.

04:41.540 --> 04:41.960
Here.

04:41.960 --> 04:49.190
As you can see, there's a older versions beyond XP, Linux, Mac OS X, and in this case, we're going

04:49.190 --> 04:50.210
to use the windows.

04:51.290 --> 04:53.720
In this case, we're going to use the volatility 2.6.

04:53.720 --> 04:57.740
As you can see, you can also download for Mac OS Linux.

04:57.740 --> 05:00.920
You can also download source code if you want to compile it again.

05:00.920 --> 05:03.710
And you can also download the windows here.

05:03.710 --> 05:09.530
So in this case, I'm going to I'm not going to download it, but it's actually the same procedure.

05:09.530 --> 05:17.750
And in this case I'm going to use use a apt package manager to install volatility from the terminal.

05:17.750 --> 05:19.190
So here.

05:20.390 --> 05:20.780
Here.

05:20.780 --> 05:22.010
We also have the.

05:23.180 --> 05:26.450
Memory samples, which we're going to work on it here.

05:27.290 --> 05:35.990
This is the memory samples and we will download one by one and work and analyze it and learn volatility

05:35.990 --> 05:37.470
more deeply.

05:37.490 --> 05:41.170
So let's now download the volatility.

05:41.180 --> 05:49.550
So in some most Linux distributions, like if I would have CSI Linux or SANE operating system, then

05:49.550 --> 05:56.870
I would like volatility would come pre-installed here, but in Linux it doesn't come pre-installed,

05:56.870 --> 05:59.060
so we have to install it.