关于我在windows使用volatility取证这档事

官网下载地址：https://www.volatilityfoundation.org/releases

volatility3的官方文档：https://volatility3.readthedocs.io/en/latest/basics.html

下载

看清有两个版本，用法不一样

第一次我下载了Volatility 2.6 Windows Standalone Executable (x64)
结果执行Volatility.exe老是报出error
然后我果断删除了2.6
下载了3.0

版本差异

而volatility2的用法如下

volatility -f 'Windows 7-dde00fa9.vmem' imageinfo

volatility3插件功能

下面使用python vol.py -h看volatility3的插件都有哪些
下面插件只是简单罗列，准备再写一篇文章单独介绍

pluginbanners.Banners     configwriter.ConfigWriterframeworkinfo.FrameworkInfo isfinfo.IsfInfo   layerwriter.LayerWriterlinux.bash.Bash     linux.check_afinfo.Check_afinfolinux.check_creds.Check_credslinux.check_idt.Check_idtlinux.check_modules.Check_moduleslinux.check_syscall.Check_syscall  linux.elfs.Elfs  linux.keyboard_notifiers.Keyboard_notifiers linux.lsmod.Lsmod linux.lsof.Lsof    linux.malfind.Malfindlinux.proc.Maps    linux.pslist.PsListlinux.pstree.PsTreelinux.tty_check.tty_checkmac.bash.Bash      mac.check_syscall.Check_syscallmac.check_sysctl.Check_sysctlmac.check_trap_table.Check_trap_tablemac.ifconfig.Ifconfigmac.kauth_listeners.Kauth_listenersmac.kauth_scopes.Kauth_scopesmac.kevents.Keventsmac.list_files.List_Filesmac.lsmod.Lsmod     mac.lsof.Lsof       mac.malfind.Malfindmac.mount.Mount    mac.netstat.Netstatmac.proc_maps.Maps  mac.psaux.Psaux     mac.pslist.PsList   mac.pstree.PsTree  mac.socket_filters.Socket_filtersmac.timers.Timers   mac.trustedbsd.Trustedbsdmac.vfsevents.VFSeventstimeliner.Timelinerwindows.bigpools.BigPoolswindows.cmdline.CmdLinewindows.dlllist.DllListwindows.driverirp.DriverIrpwindows.driverscan.DriverScanwindows.dumpfiles.DumpFileswindows.envars.Envarswindows.filescan.FileScanwindows.getservicesids.GetServiceSIDswindows.getsids.GetSIDswindows.handles.Handleswindows.info.Info   windows.malfind.Malfindwindows.memmap.Memmapwindows.modscan.ModScanwindows.modules.Moduleswindows.mutantscan.MutantScanwindows.netscan.NetScan      windows.poolscanner.PoolScannerwindows.privileges.Privswindows.pslist.PsListwindows.psscan.PsScanwindows.pstree.PsTreewindows.registry.certificates.Certificateswindows.registry.hivelist.HiveListwindows.registry.hivescan.HiveScanwindows.registry.printkey.PrintKeywindows.registry.userassist.UserAssistwindows.ssdt.SSDT   windows.statistics.Statisticswindows.strings.Strings           windows.symlinkscan.SymlinkScanwindows.vadinfo.VadInfowindows.verinfo.VerInfowindows.virtmap.VirtMapThe following plugins could not be loaded (use -vv to see why):
volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks,
volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump,
volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan,
volatility3.plugins.yarascan

注意最下面提示有一些插件不能加载
使用-vv查看原因

python vol.py -vvVolatility 3 Framework 1.0.0
INFO     root        : Volatility plugins path: ['D:\\Tools\\volatility3-1.0.0\\volatility3\\plugins', 'D:\\Tools\\volatility3-1.0.0\\volatility3\\framework\\plugins']
INFO     root        : Volatility symbols path: ['D:\\Tools\\volatility3-1.0.0\\volatility3\\symbols', 'D:\\Tools\\volatility3-1.0.0\\volatility3\\framework\\symbols']
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: yarascan
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: windows\cachedump
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.callbacks based on file: windows\callbacks
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: windows\hashdump
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: windows\lsadump
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: windows\svcscan
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: windows\vadyarascan
INFO     root        : The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
usage: ....................
volatility: error: Please select a plugin to run

这些提示说缺少一些模块
下面就安装模块

安装依赖包

然后有提示我们pip该升级了。。。
并不是啰嗦，是想尽可能解决一些新手碰到不会处理的问题
然后再安装模块
装完模块再次查看插件发现报错了

查找问题

这是官方给出的依赖包

而我们之前安装的模块

因为版本相差太多，猜测我们安装错了
先卸载这两个模块

试试看有没有官网这个模块yara-python
发现有这个模块

然后运行volatility测试这个是不是它要求的模块

发现现在它只提示我们缺少Crypto模块
之前先卸载这个模块是为了控制变量
选择再安装Crypto模块
结果是安装成功，仍然提示缺少模块
根据官方的说法，它还需要一个依赖包capstone
那就安装它试试

说明这个模块不是我们想要的
经过搜索发现还有个模块叫pycrypto
然而安装的时候报错
说缺少Microsoft C++ Build Tools

接下去linux系统来验证我的猜想
安装模块成功，并且不再提示缺少模块
抱怨：所以最讨厌在windows上搞一些编程

总结

坑1，它提示我们缺少下面这两个模块

其实我们需要安装的是这两个模块
yara-python和pycrypto
坑2，windows编程老是出现各种各样的问题