1
00:00:00,560 --> 00:00:08,450
The volatility framework is an open source, cross-platform incident response framework that comes with

2
00:00:08,450 --> 00:00:14,780
many useful plugins that provide the investigator with a wealth of information from a snapshot of a

3
00:00:14,780 --> 00:00:18,500
memory also known as Memory Dump.

4
00:00:18,530 --> 00:00:25,310
The concept of volatility has been around for a decade, and apart from analyzing, running and hidden

5
00:00:25,310 --> 00:00:29,810
processes, it's also very popular choice for a malware analysis.

6
00:00:29,810 --> 00:00:36,860
So to create a memory dump, you need a several tools that we did in previous lectures like a Well-conserved

7
00:00:36,860 --> 00:00:47,780
ramp capture, FTK imager, DDC, 3D, sane computer aided Investigate Environment, Helix and Linux

8
00:00:47,780 --> 00:00:50,630
Memory Extractor named as Lime.

9
00:00:50,630 --> 00:00:58,370
So these tools can be used to acquire the memory, image or memory dump and then be investigated and

10
00:00:58,370 --> 00:01:01,400
analyzed by the tools within a volatility framework.

11
00:01:01,410 --> 00:01:10,170
And so volatility framework can be run on any operating system, both 32 bit or 64 bit.

12
00:01:10,170 --> 00:01:17,880
So the and the any operating system that supports Python, so including the Windows XP seven eight,

13
00:01:17,910 --> 00:01:29,580
8.1 and Windows 10 11 Windows servers Linux like almost all Linux starting from 2.6. 11 and like newer

14
00:01:29,580 --> 00:01:35,760
Linux here you it you can also run the volatility framework in Mac OS.

15
00:01:35,760 --> 00:01:48,540
So volatility supports several dumps dump formats both 32 bit and 64 bit, including the Windows crash

16
00:01:48,540 --> 00:01:51,060
and hibernation dumps.

17
00:01:51,930 --> 00:01:56,700
For the Windows 7 and earlier.

18
00:01:59,230 --> 00:02:04,180
It also supports the VMware that VM dumps.

19
00:02:04,390 --> 00:02:07,000
It also supports the virtual box dump.

20
00:02:07,330 --> 00:02:12,280
VirtualBox dumps VirtualBox core dumps.

21
00:02:12,430 --> 00:02:16,870
It also supports the VMware saved State.

22
00:02:18,010 --> 00:02:24,040
The named that VM, SS and vm sn here.

23
00:02:26,330 --> 00:02:30,020
It also supports the raw physical memory.

24
00:02:32,230 --> 00:02:32,950
Memory.

25
00:02:32,980 --> 00:02:33,430
Name.

26
00:02:34,750 --> 00:02:38,200
It also supports the QEMU.

27
00:02:39,100 --> 00:02:44,410
This means this actually means the quick emulator qemu.

28
00:02:46,240 --> 00:02:47,110
Firewall.

29
00:02:48,440 --> 00:02:49,490
H pack.

30
00:02:50,580 --> 00:03:00,240
And like direct physical memory dump over in 1394 FireWire wire here.

31
00:03:00,360 --> 00:03:09,930
So volatility even allows for a conversion between these formats and both of being able to accomplish

32
00:03:09,930 --> 00:03:12,030
everything similar tools can.

33
00:03:12,180 --> 00:03:19,830
So you can download the volatility from the internet, from GitHub, its official GitHub here.

34
00:03:20,980 --> 00:03:22,240
Let's open here.

35
00:03:22,600 --> 00:03:26,260
Okay, so volatility GitHub.

36
00:03:27,650 --> 00:03:31,190
Here bottle the foundation volatility.

37
00:03:31,400 --> 00:03:32,420
So.

38
00:03:36,500 --> 00:03:37,070
Here.

39
00:03:43,050 --> 00:03:48,300
So there is the memory samples that you can use here.

40
00:03:49,480 --> 00:03:52,570
Memory samples.

41
00:03:54,240 --> 00:03:55,010
Okay.

42
00:03:55,010 --> 00:04:01,550
And you can also download the volatility distribution from the, uh, official website, the downloads.

43
00:04:02,370 --> 00:04:04,200
Here, click on downloads.

44
00:04:24,280 --> 00:04:24,790
Yeah.

45
00:04:25,210 --> 00:04:28,840
You can also download volatility tree or volatility to.

46
00:04:39,770 --> 00:04:40,880
In this case.

47
00:04:41,540 --> 00:04:41,960
Here.

48
00:04:41,960 --> 00:04:49,190
As you can see, there's a older versions beyond XP, Linux, Mac OS X, and in this case, we're going

49
00:04:49,190 --> 00:04:50,210
to use the windows.

50
00:04:51,290 --> 00:04:53,720
In this case, we're going to use the volatility 2.6.

51
00:04:53,720 --> 00:04:57,740
As you can see, you can also download for Mac OS Linux.

52
00:04:57,740 --> 00:05:00,920
You can also download source code if you want to compile it again.

53
00:05:00,920 --> 00:05:03,710
And you can also download the windows here.

54
00:05:03,710 --> 00:05:09,530
So in this case, I'm going to I'm not going to download it, but it's actually the same procedure.

55
00:05:09,530 --> 00:05:17,750
And in this case I'm going to use use a apt package manager to install volatility from the terminal.

56
00:05:17,750 --> 00:05:19,190
So here.

57
00:05:20,390 --> 00:05:20,780
Here.

58
00:05:20,780 --> 00:05:22,010
We also have the.

59
00:05:23,180 --> 00:05:26,450
Memory samples, which we're going to work on it here.

60
00:05:27,290 --> 00:05:35,990
This is the memory samples and we will download one by one and work and analyze it and learn volatility

61
00:05:35,990 --> 00:05:37,470
more deeply.

62
00:05:37,490 --> 00:05:41,170
So let's now download the volatility.

63
00:05:41,180 --> 00:05:49,550
So in some most Linux distributions, like if I would have CSI Linux or SANE operating system, then

64
00:05:49,550 --> 00:05:56,870
I would like volatility would come pre-installed here, but in Linux it doesn't come pre-installed,

65
00:05:56,870 --> 00:05:59,060
so we have to install it.