How to Install Volatility 2.6 in Kali
Volatility is no longer packaged with new Kali releases, but can be manually installed.
┌──(kali㉿kali)-[~/volatility]
└─$ vol.py
Volatility Foundation Volatility Framework 2.6.1
*** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)
As Volatility relies on certain Python 2 dependencies, we will need to install Python 2 Pip:
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
sudo python2 get-pip.py
# upgrade setup tools to avoid "invalid command egg_info" error
pip2 install --upgrade setuptools
# install python-dev to avoid "x86_64-linux-gnu-gcc failed..." error
sudo apt-get install python-dev
Now that pip2 is installed, we can use it to get the Volatility dependencies:
pip2 install pycrypto
pip2 install distorm3
If you’re using it temporarily, you can simply clone the repo and run vol.py. Otherwise, you can run the python installer:
git clone https://github.com/volatilityfoundation/volatility
cd volatility
sudo python setup.py install
Once the install is complete, you can verify by running vol.py in any context:
┌──(kali㉿kali)-[~]
└─$ vol.py -h
Volatility Foundation Volatility Framework 2.6.1
Usage: Volatility - A memory forensics analysis platform.
You can use this automated script: bash script
The install script will place the plugins directory to /usr/local/contrib/plugins
