-
Notifications
You must be signed in to change notification settings - Fork 81
Installation
For installation please follow the steps for your OS as listed below. Then follow all the optional steps at the end.
Table of Contents
This install has been tested on Ubuntu 14.04 | 16.04 x64 Both server and desktop platforms. The steps should work for later versions but are not tested. After successfully installing Ubuntu follow these steps to get a functional VolUtility interface.
$ sudo apt-get update && sudo apt-get upgrade
$ sudo apt-get install python-dev python-pip git libimage-exiftool-perl
VolUtility requires a mongo database in order to store analysis results. There are 3 tested configurations
-
Local installation
Follow the official steps to install the correct Mongo v3.2 on your system. (Anything 3.0 or higher will work) https://docs.mongodb.org/v3.2/tutorial/install-mongodb-on-ubuntu/
-
Remote Installation
Just point your config file at the IP and port as described in the configuration section.
-
Offical Mongo Docker Image
Create a container with
sudo docker run -d -p 27017:27017 --name vol-mongo mongoStop a container withsudo docker stop 'containerid'Restart a container withsudo docker start containerID
We need volatility 2.5 or later.
$ cd ~/
$ git clone https://github.com/volatilityfoundation/volatility
$ cd volatility
$ sudo python setup.py install
Get VolUtility
$ cd ~/
$ git clone https://github.com/kevthehermit/VolUtility
Install App Specific Requirements
$ cd VolUtility
$ sudo pip install -r requirements.txt
As of the time of writing there are a couple of different distributions of SIFT V3. Bootstrap which goes on to your own build of Ubuntu 14.04, SIFT V3 distributed with FOR526 which is Ubuntu 12.04 and SIFT V3 from the SANS Website which is Ubuntu 14.04. This becomes important when selecting which repo to install mongo from so please check your have the correct version.
$ sudo apt-get update && sudo apt-get upgrade
$ sudo pip install pymongo django
VolUtility requires a mongo database in order to store analysis results. There are 3 tested configurations
-
Local installation
Follow the official steps to install the correct Mongo v3.2 on your system. (Anything 3.0 or higher will work) https://docs.mongodb.org/v3.2/tutorial/install-mongodb-on-ubuntu/
-
Remote Installation
Just point your config file at the IP and port as described in the configuration section.
-
Offical Mongo Docker Image
Create a container with
sudo docker run -d -p 27017:27017 --name vol-mongo mongoStop a container withsudo docker stop 'containerid'Restart a container withsudo docker start containerID
We need volatility 2.5 or later.
$ cd ~/
$ git clone https://github.com/volatilityfoundation/volatility
$ cd volatility
$ sudo python setup.py install
Get VolUtility
$ cd ~/
$ git clone https://github.com/kevthehermit/VolUtility
Check the site for the latest build and instructions https://yara.readthedocs.org/en/latest/gettingstarted.html#compiling-and-installing-yara
$ sudo apt-get install automake libtool
$ wget https://github.com/plusvic/yara/archive/v3.4.0.tar.gz
$ tar zxf v3.4.0.tar.gz
$ cd yara-3.4.0
$ ./bootstrap.sh
$ ./configure
$ make
$ sudo make install
$ cd yara-python
$ sudo python setup.py install
$ sudo ldconfig
To make full use of the virustotal features you need your own API Key. These can be obtained for free from https://virustotal.com
You also need to install the python library
$ sudo pip install virustotal-api
Enter your key in the config file as described in the following section
Vagrantfile can be found in the repo - https://github.com/kevthehermit/VolUtility/blob/master/Vagrantfile
Builds a debian/jessie64 OS with all dependancies. Web interface can be found on http://192.168.56.101:8765 after vagrant up
##Docker
You can build a docker image yourself from the Dockerfile in extra/docker Or you can use the image on the docker hub. This image is automagicaly rebuilt everytime an update is made to the Git Repo.
To run:
sudo docker run -d --name voltest -v /home/localadmin/mem-images:/opt/images -p 8080:8080 kevthehermit/volutility
This will:
- Start the container.
- Mount
mem-imagesfrom your home folder to/opt/imagesinside the container (Adjust to match a path to your mem images) - Set the web port to HOSTIP:8080
- Show you the container ID in the console (
sudo docker pswill also show container ID's)
Now you can load the interface and use /opt/images/imagename.vmem as the Full Path to memory dump.
Stop the container with sudo docker stop containerID
Restart the container with sudo docker start containerID
The docker image will persist the mongo database inside the container. If you delete the container you will LOOSE the data. Consult the docker guides on how to create persistent data volumes.
VolUtiliy comes with a default config file volutility.conf.sample If you do not set your own volutility will use the settings in this file.
To create your own config file copy volutility.conf.sample to your home drive~/.volutiltiy.conf and populate all the settings using the examples show in the file.
If your using the docker image you need to first open a shell in to the container. The following example should help to explain.
docker exec -i -t nameofcontainer /bin/bashcp /opt/VolUtility/volutility.conf.sample ~/volutility.confnano ~/volutility.conf
The default theme is a dark theme with the running cat as a loading image. If you prefer something 'Cleaner' you can change this in the config file. You can use any bootstrap 3 compatible theme - some examples can be found at https://bootswatch.com/ Slate is the default and SpaceLab is included.
To add your own copy:
- A css file in to web/static/css/
- An image or animated gif to use on the loading page in to web/static/img
- Update the volutiltiy.conf file to match
Third party plugins can be included in one of two ways.
- Add plugins to the VolUtility/plugins folder
- From the main page click 'Add Plugins' and enter the full path to the folder containing your plugins.
If you add new plugins after the session has been created you will have to update the available plugins by clicking the refresh button on the Plugin Results ToolBar
Profiles are required in order for volatility to correctly map memory. By default all windows profiels are included. Profiles for linux and mac are not provided but can be sourced or created.
- Link to vol profiles
- Link to create profiles page
Once you have a profile zip package they can be added in a similar manner to plugins.
- Copy the zip in to VolUtility/plugins/overlays
- From the main page click 'Add Plugins' and enter the full path to teh folder containing your profiles. (must be in a subfolder labeled overlays)
Yara rules can be added to the VolUtility/yararules folder. If you want your rule to be included in the 'all rules' scan. you will need to add it the index.yar file.
You will need to refresh the session page in order to see any new rules added.
To upgrade from source simply stop VolUtility cd in the folder and run.
git pull
This will fetch the latest version
Download the latest release package and replace your old VolUtility folder with contents from the new one.