Live Forensics | How to Install Volatility 3 on Windows 11 Windows 10 | Symbol Tables Configuration

00:02

many of you have an issue installing

00:05

volatility tree

00:08

in Windows 11 or Windows

00:12

10.

00:15

especially

00:17

when you run Windows PS list

00:20

or Windows

00:22

net scan or any of these plugin

00:26

in this video I'm going to show you how

00:29

to install

00:32

volatility tree

00:34

and demonstrate

00:36

its work with Windows 11 within windows

00:41

11.

00:42

let's start

00:46

to download volatility I will keep the

00:48

link in the description

00:51

within the volatility project you need

00:54

to go to downloads

00:56

and you will find these two tabs

00:58

volatility true and volatility a tree

01:03

we're going to choose for 33 but listen

01:05

over 33 version 1 and it's using python

01:11

3. mean before you install or run filter

01:16

3 you have to have Python 3 installed in

01:20

your machine

01:21

to get Python 3 if you don't have Python

01:24

3 you just need to go to

01:26

python.org download and here's a

01:30

download Python 3 okay download python

01:32

3. download that install it it's

01:34

straightforward doesn't take long to

01:37

install its depend on your internet

01:41

speed

01:43

sorry about my voice I got

01:46

a little flu I think let's go back to

01:50

volatility tree and the file we need to

01:53

download is this one download the for

01:55

the 33 version 1.00

01:59

uh let let me click on that

02:04

and this will be downloaded in my

02:07

um my machine let me grab it

02:16

I have it

02:17

continue

02:20

here is it in

02:24

it's here I just download in the C drive

02:27

it's for the 33

02:29

and then first thing you need to unzip

02:32

it extract

02:36

I was extract it in my machine here for

02:39

little T3 I think there is another one

02:42

here I don't know why there's two but

02:45

let me just make it like this

02:48

I think because already before I done

02:50

the video I tried to download it before

02:53

okay over 33 and this will be extracted

02:57

to your C drive for my in my case

03:04

in just seconds okay depends on your

03:06

computer speed and once once it's

03:09

extracted you will find in C drive for

03:13

the 33

03:14

double click on it and then double click

03:16

again you'll find volatility dot python

03:20

or return.pi

03:22

but remember

03:26

before we run volatility as he said you

03:29

need to have python let's run volatility

03:32

using Powershell just type Powershell

03:36

and run your power shell

03:41

uh

03:44

you can

03:47

type like what you do in Linux CD and go

03:51

straight away to where my volatility is

03:54

saved

03:55

and hit enter

03:56

LS

03:58

and we can find volatility.pi and what

04:01

you need to type is python

04:05

python.exe or sometime just p y okay or

04:08

sometimes just p y and volatility Dot py

04:12

and hit enter and this confirmed to us

04:15

volatility is installed in your machine

04:18

but however wait this is the tricky

04:20

thing okay this is a tricky thing

04:24

we try to run volatility on Windows

04:28

machine to an eyes with this machine it

04:30

will not all of plugins will not run if

04:33

we go back to further 30 website the

04:36

volatility website

04:38

and there is nothing said here about

04:41

plugins for Windows I went to I went to

04:45

their project in GitHub go to volatility

04:48

I will keep the link also on the

04:50

description for 33 go down

04:54

go down and then Dimension here simple

04:57

table okay simple table you need if you

05:01

analyze you're going to analyze when

05:03

this memory dump you need to download

05:07

this Windows File okay and save it on

05:11

volatility three symbols download it I

05:15

think it's

05:16

800 gigabyte already I have it in my

05:20

machine download it and then let me find

05:24

it

05:25

here is that it's 800 megabyte

05:29

800 megabyte copy this one

05:33

into

05:35

folder called volatility tree volatility

05:37

inside volt 33 volt 33 433 three times

05:40

and then I think in the simple okay let

05:44

me go back and descend the symbols

05:47

just

05:48

copy it here and that's it don't do

05:50

anything okay you don't do you don't

05:53

need to do anything

05:54

for now I'm going to analyze memory dump

05:57

okay I'm going if you need to create

05:59

memory dump it's easy you can use ftk

06:03

measure use ftk measure uh I will show

06:07

you right now very quickly how to create

06:10

memory dump okay

06:12

just click file

06:14

and then capture memory

06:16

and then just type the destination where

06:20

you need to save it and then

06:23

click on capture by doing this one you

06:25

are going to capture a memory copy you

06:28

are going to create a copy of your RAM

06:31

okay I'm not going to do that because

06:33

already I have a copy of memory dump if

06:37

you if you need to know how you can go

06:40

to another videos in my channel to show

06:43

you how to create a memory dump using

06:45

ftk measure and other tools and how you

06:48

can analyze and how you can analyze

06:51

um

06:52

these memory dumps and how you can find

06:54

passwords network connections and so on

06:58

let's get to volatility again

07:00

now let me save the memory dump here in

07:04

Florida 33 Okay let me save it here

07:09

as we said

07:11

uh now

07:13

let me run the volatility again we have

07:19

uh we just type python variety dot pi

07:22

and then

07:27

minus F of Dash F and then the file

07:30

location the minimum dump file location

07:32

this is the memory Dom I will go just

07:35

copy and go paste and then slash the

07:40

memory dump called memory dumb dot EMA

07:42

okay this is the file okay then with

07:46

windows with volatility is different

07:48

than folder 32 okay it's easier okay

07:51

when does when those then info that's

07:56

the first plugin I'm going to use okay

07:58

and if I hit

08:00

run

08:02

it runs okay it runs

08:04

if let's try

08:07

um BS list but before I run BS list what

08:11

you can find here this one will read

08:14

them is from Windows 7 okay you can you

08:17

can generate from Windows 10 you can

08:19

generate from any other uh

08:23

any other

08:25

memory I think I got

08:28

passing

08:30

um

08:32

just let me find maybe yeah I don't have

08:34

another memory though but try it

08:36

yourself it should work okay

08:38

how would you understand and when it's

08:40

11. if I do PS list it may work and may

08:43

not okay but here is it it works it

08:45

works Piece list it works let's try

08:48

another one Let's scan

08:51

knit scan

08:54

and it works okay all all the plugins

08:59

they should work okay all the plugins

09:01

they should work because already

09:04

we have a simple table that copy of the

09:09

large file the 800 megabyte file we

09:13

saved on the Vol 33 samples and windows

09:16

uh this is the location from where uh

09:19

from where

09:21

voltage tree can access Json files okay

09:25

you can access Json files

09:28

by following my step I am hundred

09:30

percent sure that it should work with

09:33

you and very easy and simple pass it up

09:39

[Music]