Howto install Volatility (RAM / Memory Forensic Framework) in Windows

1. Download Python

http://www.python.org/download/

I have installed Python 2.6.4 in Windows 7, 64 Bit Edition.

Open a windows shell and add Python to your Windows path with

PATH=%PATH%;C:\Python26

If you installed Python somewhere else change 'C:\Python26' with your path.

2. Download Volatility Framework

https://www.volatilesystems.com/volatility/1.3/Volatility-1.3_Beta.zip

and extract it to d:\Forensic\Tools\Volatility

3. Test Volatility


d:\Forensic\tools\Volatility>python volatility pslist -f d:\Forensic data\ramdump2.dd

Name Pid PPid Thds Hnds Time
System 4 0 48 226 Thu Jan 01 00:00:00 1970
smss.exe 512 4 3 21 Sat Feb 27 11:37:09 2010
csrss.exe 576 512 10 302 Sat Feb 27 11:37:09 2010
winlogon.exe 600 512 19 428 Sat Feb 27 11:37:09 2010
services.exe 644 600 18 271 Sat Feb 27 11:37:09 2010
lsass.exe 656 600 23 302 Sat Feb 27 11:37:09 2010
VBoxService.exe 812 644 4 75 Sat Feb 27 11:37:09 2010
svchost.exe 856 644 9 186 Sat Feb 27 11:37:09 2010
svchost.exe 956 644 67 985 Sat Feb 27 11:37:09 2010
svchost.exe 1092 644 5 46 Sat Feb 27 11:37:10 2010
svchost.exe 1112 644 14 127 Sat Feb 27 11:37:10 2010
spoolsv.exe 1316 644 13 116 Sat Feb 27 11:37:10 2010
explorer.exe 1884 1856 11 231 Sat Feb 27 11:37:24 2010
msiexec.exe 288 644 5 91 Sat Feb 27 11:37:28 2010
VBoxTray.exe 472 1884 7 45 Sat Feb 27 11:37:30 2010
ctfmon.exe 480 1884 1 60 Sat Feb 27 11:37:30 2010
mdd_1.3.exe 1880 956 1 25 Sat Feb 27 11:40:59 2010