Skip to content
c11y - Cyber Security

Volatility and Memory Dumps Guide

Volatility is a tricky tool to deal with and when misusing it, it is not always exactly obvious what went wrong (and how to fix the problems). In my personal experience, many issues are abstracted away by the tool telling you the plugin doesn’t exist or is invalid.

A general solution to try is to have somebody who knows at least a litle bit about python to look at the command you’re trying with the -vv flag appended. This will often reveal helpful verbose debug information and could show any packages that it is requiring that are missing from your python installation. The solution guide suggests to install pycryptodome and this works when doing some plugin operations.

Things to Try

Section titled “Things to Try”

  1. Use an older version of Volatility 3

    Specifically, I was able to complete all the gymnasium challenges using Volatility 3 version 2.11.0 (yes, this is confusing). You can install this by running pip3 install volatility3==2.11.0. Note that if you are using Kali Linux, you may need to setup a virtual environment to install packages. See step 2 for more information.

  2. Setup a virtual environment

    If you are struggling with installing Volatility or any of its dependencies, you can setup a Python virtual environment.

    In the Volatility source directory, run the command python3 -m venv venv and ./venv/bin/... with python3 or pip3 to run volatility itself or install its depencies. If you install volatility using the pip executable in the virtual environment, it will place itself in this bin directory

  3. Try to find alternative plguins

    One issue that Volataility is plagued with is that the name and usages of plguins change between version. The atrocious list of plugins that Volatility provides on the command line, but filtering and highlighting it can be done using grep.

    You may notice that attempting to grep the output of the list of plugins from the help command or as a result of typing an invalid plugin name will result in an empty output. This is because that Volatility is outputting this to the standard error rather than the standard output, which is what grep reads from.

    To be able to search this text, you can redirect the standard error to the standard output by running a command like ./vol.py -f memdump.mem 2>&1 | grep windows.info.