### 無腦教學 - 人肉蒐索(合法篇)

1.搜尋引擎(目標的粗略印象)

2.部落格(目標的思考邏輯)

*社交攻擊：你可以在IM或社群網站偽冒成目標，然後加入目標的朋友，再藉由目標的朋友探查出更多資訊

3.社群網站(目標的周遭朋友)

4.交易網站(目標買了那些東西)

5.論壇(目標對那些議題較有性趣)

### 東芝新款2.5吋硬碟會自動銷毀解密金鑰

 硬碟一經驗證就只能於單一PC、數位複合機器、POS收銀系統上使用，一旦驗證時發現是與其他裝置連接，硬碟就會刪除解密金鑰，藉此防止內部資料外流。 東芝週三（4/13）宣布將在6月推出世界首款2.5吋保密硬碟，以最新研發的裝置驗證技術，使硬碟連接非指定PC或裝置時，內部資料數據無法被讀取與盜用。 這款保密硬碟共有160GB～640GB等5種不同容量型號，硬碟將對安裝機器使用盤問與回應驗證（challenge and response authentication）功能，一經驗證就只能於單一PC、數位複合機器、POS收銀系統上使用，一旦驗證時發現是與其他裝置連接，硬碟就會刪除解 密金鑰，藉此防止內部資料外流。 這款保密硬碟共有三種資料保護模式以因應不同需求。除了上述模式外，也允許使用者直接從硬碟安裝的機器上執行資料無效化指令，或是設定成一旦切斷電源供應 就自動刪除解密金鑰的保護模式，使用者也能自行設定硬碟中哪些磁區的資料是防護措施啟動後就立刻刪除解密金鑰，哪些磁區是保留金鑰僅以加密狀態保存。 東芝新款保密硬碟採用3.0Gbps SATA資料傳輸介面，平均資料搜尋時間12msec、轉速7200rpm，具16MB緩衝區容量，採用AES 256 bit加密演算法以及第2代東芝Wipe technology功能，避免機器啟動省電模式時誤觸資料防護功能。 轉自 http://www.ithome.com.tw/itadm/article.php?c=67058

### 鎖定單一對象的惡意程式攻擊有多高超？

win{BLOCKED}.dyndns.info 網頁上 JavaScript 程式碼可廣泛偵測下列軟體：

• Microsoft Office (WordOutlook)，從 97 至 2010 版
• Java
• 程式開發工具與美工軟體 (Delphi.NETPhotoshopDreamweaver)

@原文來源:How Sophisticated are Targeted Malware Attacks?

@延伸閱讀

### DEFT 6.1

DEFT 6.1 is the last planned release of DEFT 6.
From June 2011, We will start working on version 7. It will feature great improvements on both the architectural structure and the included applications.
Release notes:

- Start faster by 15% over the previous version
- Optimization initrd
- RegTime.py
- Recovery.py

Fixed:
Fixed problem of large pcap file uploads in Xplico
Revision of all DEFT Extra’s tools to comply with their License.
DEFT 6 can boot from USB (tnks to Valerio Leomporra for the fix)

### Digital Forensics Search

Blogs
A Fistful of Dongles  http://ericjhuber.blogspot.com/
A Geek Raised by Wolves  http://jessekornblum.livejournal.com/
An Eye on Forensics  http://eyeonforensics.blogspot.com/
appointments-uk  http://appointments-uk.blogspot.com/
Blog Matt Churchill  http://mattchurchill.net/blog/

Codeslack  http://codeslack.blogspot.com/
Computer Forensic Blog  http://computer.forensikblog.de/en/
Computer Forensic Source  http://forensicsource.blogspot.com/
Computer Forensics and IR - What's New  http://newinforensics.blogspot.com/
Computer Forensics Forums - Recent Blogs Posts - Blogs  http://www.computer-forensics.co.uk/computer-forensics-forums/blog.php?s=88da0ba9705c1f3b0a6e0ff5168ac75b
Computer Forensics, Malware Analysis & Digital Investigations  http://www.forensickb.com/
Computer Forensics-E-Discovery Tips-Tricks and Information  http://cfed-ttf.blogspot.com/
ComputerForensicSource.com  http://www.computerforensicsource.com/

CSITech - Computer Forensics  http://nickfurneaux.blogspot.com/
CYB3RCRIM3  http://cyb3rcrim3.blogspot.com/
Cyber Crime 101  http://www.cybercrime101.com/
CyberSpeak's Podcast  http://cyberspeak.libsyn.com/
Dancho Danchev's Blog - Mind Streams of Information Security Knowledge  http://ddanchev.blogspot.com/
Derek Newton « Information Security Insights http://dereknewton.com/

Didier Stevens  http://blog.didierstevens.com/
Digital Detective  http://blog.digital-detective.co.uk/
Digital Forensic Source  http://www.digitalforensicsource.com/
Digital Forensics Blog  http://digiforensics.blogspot.com/
Digital Forensics Solutions  http://dfsforensics.blogspot.com/
EDD and Forensics  http://eddandforensics.blogspot.com/
Ex Forensis  http://exforensis.blogspot.com/
Forensic 4cast  http://www.forensic4cast.com/
forensic . seccure . net  http://seccure.blogspot.com/
Forensic Artifacts  http://forensicartifacts.com/
Forensic Computing — Digital forensics from the view of a computer scientist  http://www.forensicblog.org/
Forensic Incident Response  http://forensicir.blogspot.com/
Forensic Photoshop  http://forensicphotoshop.blogspot.com/
Forensics from the sausage factory  http://forensicsfromthesausagefactory.blogspot.com/
ForensicZone  http://forensiczone.blogspot.com/
Geoff Black's Forensic Gremlins - Everything that gives you fits in Digital Forensics and E-Discovery  http://www.geoffblack.com/
Hacking Exposed Computer Forensics blog  http://hackingexposedcomputerforensicsblog.blogspot.com/
integriography A Journal of Broken Locks, Ethics, and Computer Forensics  http://integriography.wordpress.com/
Internet Storm Center Diary  http://isc.sans.edu/
IR and forensic talk  http://blog.kiddaland.net/
JL's stuff  http://gleeda.blogspot.com/
Journey into Incident Response  http://journeyintoir.blogspot.com/
Macaroni Forensics  http://macaroniforensics.blogspot.com/
Matthieu Suiche’s blog ! - Happiness only real when shared.  http://www.msuiche.net/
McGrew Security Blog  http://www.mcgrewsecurity.com/
Mobile Device Forensics  http://mobileforensics.wordpress.com/
Mobile Forensics Inc Blogger  http://blog.mobileforensicsinc.com/
Mobile Telephone Evidence  http://trewmte.blogspot.com/
M-unition  http://blog.mandiant.com/
OS X Forensics Blog  http://osxforensics.wordpress.com/
Push the Red Button  http://moyix.blogspot.com/
RAM Slack – Random Thoughts from a Computer Forensic Examiner  http://ramslack.wordpress.com/
Reversing Malware  http://internetopenurla.blogspot.com/
Security Ripcord  http://www.cutawaysecurity.com/blog/
TaoSecurity  http://taosecurity.blogspot.com/
The Digital Standard  http://thedigitalstandard.blogspot.com/
trustedsignal -- blog  http://trustedsignal.blogspot.com/
Windows Forensic Environment  http://winfe.wordpress.com/
Windows Incident Response  http://windowsir.blogspot.com/

Websites
Brian Carrier Digital Investigation - Forensics and Evidence Research  http://www.digital-evidence.org/
CERIAS Reports and Papers Archive  https://www.cerias.purdue.edu/apps/reports_and_papers/

Computer Crime & Intellectual Property Section US DOJ  http://www.justice.gov/criminal/cybercrime/
Computer Forensics Miscellany  http://computerforensics.parsonage.co.uk/
Craig Gall Helping Lawyers Master Technology  http://www.craigball.com/
DFI News  http://www.dfinews.com/
DFRWS (Digital Forensics Research Conference)  http://www.dfrws.org/
Digital Forensics Magazine supporting the professional computer security industry  http://www.digitalforensicsmagazine.com/
ENSIA CERT  http://www.enisa.europa.eu/act/cert/
E-Evidence Information Center - Home  http://www.e-evidence.info/
FIRST - Improving security together  http://www.first.org/
Forensic Focus  www.forensicfocus.com/
Forensic Magazine Issues  http://www.forensicmag.com/current-issue/
Forensics Wiki  http://www.forensicswiki.org/
Inside the registry  http://www.insidetheregistry.com/regdatabase/
International Journal of Digital Evidence on Utica College  http://www.utica.edu/academic/institutes/ecii/ijde/
Into The Boxes  http://intotheboxes.wordpress.com/
Lenny Zeltser  http://zeltser.com/
log2timeline  http://log2timeline.net/
Mobile Forensics Central  http://www.mobileforensicscentral.com/
NIST Computer Security Division Special Publications  http://csrc.nist.gov/publications/nistpubs/
Open Source Digital Forensics  http://www2.opensourceforensics.org/
SANs Computer Forensics  http://computer-forensics.sans.org/
Small Scale Digital Device Forensics Journal  http://www.ssddfj.org/

Welcome AppleExaminer  http://www.appleexaminer.com/

Webpages
AuSCERT Forming an Incident Response Team  http://www.auscert.org.au/render.html?it=2252&cid=1938

Cybercrime.gov searching and seizing manual  http://www.cybercrime.gov/ssmanual/index.html
Daubert v. Merrell Dow Pharmaceuticals  http://www.law.cornell.edu/supct/html/92-102.ZS.html
Default Processes in Windows 2000  http://support.microsoft.com/kb/263201
Digital Evidence: Standards and Principles  http://www2.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm
FileSignatures Table  http://www.garykessler.net/library/file_sigs.html
Forensically interesting spots in the Windows 7, Vista and XP file system and registry (and anti-forensics)  http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots
Microsoft Windows XP - Default settings for services  http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sys_srv_default_settings.mspx?mfr=true
RFC 3227 - Guidelines for Evidence Collection and Archiving  http://www.rfc-archive.org/getrfc.php?rfc=3227
SEI Handbook for Incident Response Teams  http://www.sei.cmu.edu/library/abstracts/reports/03hb002.cfm
Windows 7 Default Services and Suggested Startup Mode  http://www.windowsnetworking.com/articles_tutorials/Windows-7-Default-Services-Suggested-Startup-Mode.html

Groups
Yahoo Win4n6 Group  http://tech.groups.yahoo.com/group/win4n6/

Yahoo Linux Forensics Group  http://tech.groups.yahoo.com/group/linux_forensics/

### Digital Corpora

DigitalCorpora.org is a website of digital corpora for use in computer forensics education research. All of the disk images, memory dumps, and network packet captures available on this website are freely available and may be used without prior authorization or IRB approval. We also have available a research corpus of real data acquired from around the world. Use of that dataset is possible under special arrangement.
From here you can view the available:

Many of the corpora are distributed in RAW, EnCase E01, and Advanced Forensic Format (AFF) formats. We also make available a Digital Forensics XML file for many of the disk images that describes the files contained within each volume. You can download tools for working with AFF and XFXML files from our companion website, http://afflib.org/.

### 「網路攻防戰」Blog教學資料

2011/4月開始，網路攻防戰會於每週四晚上9:00~11:30 固定開播資安課程，至於收播時間則不一定要看當天的課程檔案時間多長。

 日期 主題 4/07 (四) 21:00~24:00 網路攻防戰之個資防護篇 4/14 (四) 21:00~24:00 網路攻防戰之郵件社交工程篇 4/21 (四) 21:00~24:00 網路攻防戰之上網篇 4/28 (四) 21:00~24:00 網路攻防戰之木馬入侵

### EnScript to parse classic (.evt) event log entries in unallocated

This EnScript was inspired by a blog reader who emailed me to ask for a solution to parse some windows event log entries that were found in unallocated.

There are a couple ways I could think of to solve this issue. The easiest was to just build a parser to read a single event log record that was found in unallocated and display the data in the single record. The problem with that solution is it does not scale well and it will become very tedious when there are numerous records found in unallocated and requires a person to parse each one individually.

The final solution was an EnScript to perform a search for the magic value of "LfLe" which appears in every valid event log record. Once a hit is found, then the record is parsed and exported out into a separate .EVT file.  Every hit is exported out into the same .evt file and in the end, you will have a single "eventlog.evt" that contains all the valid windows event log entries that were found in unallocated. You can then use your favorite 3rd party event log viewer (Event log explorer, etc..) or the native Windows event viewer (eventvwr.exe) to read all the records that were found in unallocated.

Each event log entry maintains a event record number. When searching in unallocated, it is possible that you could find two records with the same record number, therefore this EnScript renumbers all the records found in unallocated, but leaves the remaining data intact and as exactly as found in unallocated. Each record is assigned a new record number and then exported into the new .Evt file. A new header and footer is built based on the exported data so it can then be read with all the common event log viewing tools.

The exported records viewed in the EVENTVWR app in Windows 7:

The exported records viewed in the Event Log Explorer app in Windows 7:

Prerequisites:
None - This EnScript performs a search automatically. There is no need to search, select (blue check) or preprocess anything. The EnScript will search every unallocated object found, so if you have multiple drives loaded into the case, each one will be searched automatically. The EnScript automatically bookmarks all the "LfLe" search hits (valid and invalid). Some basic error checking is done to validate the record to attempt to ensure it is a complete and valid record before it is exported into the new .EVT file. The new "eventlog.evt" file is created in the default export folder for the active case.

Limitations:
This *only* searches and rebuilds classic Windows NT/2000/XP event (.evt) records. It does not yet support the newer .EVTX (xml) records that are used in Vista, 2008 & 7.

### 兩個Oracle資料庫鑑識工具 - DDLDUMP & Data Block Examiner

DDLDUMP & Data Block Examiner
DDLDUMP: A Data Definition Language or Data Description Language (DDL) is a computer language for defining data structures. DDLDUMP is a free tool to dump DDL statements from Oracle transaction logs (redologs) in XML. It parses an Oracle redo log (transaction file ) and dumps all DDL statements, such as GRANT, CREATE, ALTER, DROP, REVOKE, etc, in XML.

Data Block Examiner for Oracle: It is a tool that can be used in an Oracle forensics investigation of a suspected breach.

### The End of Digital Forensics?

by Craig Ball

When Microsoft introduced its Encrypting File System (EFS) in Windows 2000, the Cassandras of computer forensics peppered the listserves with predictions that the days of digital forensics were numbered. Ten years on and hundreds of systems acquired, I’ve yet to handle a case stymied by encryption—and 90% of my acquisitions were corporate machines, many with TPMs and fingerprint readers. Voluntary encryption turned out to be no encryption at all.

The next sky falling threats to forensics were privacy tools and features. “Surely,” our Chicken Littles clucked, “everyone will run free tools that routinely wipe unallocated clusters and securely delete data!” Turns out, they only run the antiforensic tools right before the examiner arrives, and most such tools do a lousy job covering their tracks. Instead, we’ve come to see much more revealing data and metadata created and retained by operating systems. The Windows Registry and all those logs and .dat files are like birthday presents from Bill Gates.

Finally, there are the stormy forecasts about the Cloud. Absent dominion over physical storage media, digital forensics is indeed different. We need credentials to acquire data in the Cloud, and deletion tends to mean really gone. But the silver lining is that the portable devices used to access Cloud data tend to store so much information that they’re proving a cornucopia of case-making information. Are handhelds trickier to acquire? Sure. Are they less revealing? Not on your life!

But lately, one acorn that has fallen on my head and caused me to look warily aloft is the quantum leap in hard drive capacity. I suspect I’ve acquired more aggregate data in the last year than in all of the previous nine years put together. Not more media, mind you, more data. At least more nulls, but we’ve got to read those too, right?

Four 2TB hard drives proved barely enough capacity to hold the working copies of data acquired last weekend, even after I compressed some of it. It took two days to consolidate the various target media onto a pair of 2TB drives and thirteen hours to clone and hash each drive using the very latest drive-to-drive tools. Kudos to Voom Technologies, Inc. (voomtech.com) for its terrific Hardcopy 3P hard drive data capture unit. At 5+GB per minute, it’s a data moving marvel. I shudder to think how long the imaging and cloning would have taken using the usual software imaging tools over USB 2.0, but I’m certain I’d still be freezing my ass off in a server room in Louisiana but for Hardcopy.

The upside of a hardware imager is that it’s incredibly fast. The downside is that you’ve got to grab the entire drive. So you’re offsite faster, but the data volume to process back in the lab is huge now that we’re encountering terabyte drives in the field. Seek to acquire anything less than the entire drive (as is common in e-discovery collection efforts), and you’re relegated to the interface speed--typically USB 2.0 for an external hard drive unless you crack the enclosure and get the drive write blocked and on bus, USB 3.0 or eSATA. Note to self: Add glue to field kit for when plastic tabs break off while opening shoddy enclosures.

At USB 2.0 transfer speeds, multi-terabyte acquisitions are measured in days, not hours. I’m a good lawyer, but I haven’t found a loophole in the laws of physics that govern transfer speeds. Moving lots of data takes too long.

Of course, terabyte data volumes also slow search, indexing, volume refinement, file carving and other key tasks. Most of the volume is nulls, but you have to read those nulls at least once to identify and ignore them. If you acquire drives raw and fast, you’ll invest time back at the lab to compress the data. It all ratchets up the cost of digital forensics, tending to make it less accessible in civil cases and adding to budget burdens of law enforcement.

If you’re thinking, “more hours mean more money to me,” beware. That’s golden goose money. Like the now-struggling e-discovery service providers who were profitable only while gouging customers, profiting near-term from what destroys your business long term is not sustainable. In the end, the commercial viability of computer forensics flows from its broad acceptance and use, fostered by reducing its cost.

We need faster ways to leave those nulls behind, or those predicting the end of forensics may end up being right…finally.

### Installing pescanner.py on Windows

I don't often work with Python scripts, but I recently had an instance where, due to advice from a trusted source, I needed to run pescanner.py, mentioned in the Malware Analyst's Cookbook. In short, what I wanted to do was take look at a couple of suspicious executable files, having already run several AV scanners to identify and locate those files. Based on what I learned in setting this up, I wanted to share the steps I used to get this script running on Windows XP SP3.

Pescanner.py is a powerful tool that takes a look into a Windows portable executable (PE) file, and reports on "suspicious" elements of the file, if found, based on heuristics identified within the "Pimp my PE" paper. Pescanner.py can also incorporate YARA functionality so that PEiD and ClamAV signatures can be used, as well. This can be extremely valuable to an analyst, as we're all aware how AV alone often times will not detect malware. I've seen cases where malware was detected by the installed AV, only to have the timeline clearly show that at some point further down the road, another file with the same name was dumped on the system, but NOT detected by the same AV.

Install Python: I opted for ActiveState's ActivePython, but you can also get the current distro for Windows from Python.org.

Install Pefile: Do NOT use the pypm utility that ships with ActivePython to install the pefile module; instead go directly to the source and get the latest version. Download the archive and copy the pefile.py and peutils.py files into the Lib directory for your Python installation.

Download pescanner.py: Go here (this is rev. 18, get the most current one available) and get the file; the easiest thing to do is click on "View raw file" and save it where you want it to go. I had some issues getting the script running on Windows 2003, and it came down to the indentations...if you program Python, you may know what I mean. I had selected and copied the code in my browser, and pasted it into a Notepad window; when I saved the code using "View raw file" from the Google Code site, things worked. On my XP system, I pasted the code into an UltraEdit window and saved it.

Installing python-magic: According to this source, you'll need a couple of files to get python-magic installed on your system. First, go get the GnuWin32 file utility, and download the latest archive. Copy magic1.dll to your system32 directory and put the magic file in the same directory as pescanner.py. You can get regex2.dll from the latest regex archive (copy the file to your system32 dir), and zlib1.dll from the latest zlib archive.

For this one, I contacted MHL (one of the Cookbook authors...) and he sent me the below instructions for installing python-magic on Windows:

Assuming you already have Python from python.org or the ActivePython version...
1) Install setuptools
2) Get python-magic
* python setup.py build
* python setup.py install
3) Get the GnuWin32's File utility
* Place magic1.dll from the Binaries package into your system32 dir
* Place "magic" from the Binaries package into your system32 dir (or anywhere else, just as long as you remember the path)
* Place zlib1.dll and regex2.dll from the Dependencies package into your system32 dir
C:\> python
>>> import magic
>>> test = magic.Magic(magic_file='C:\path\to\your\magic')
>>> print test.from_buffer("test") ASCII text, with no line terminators

Again, many thanks to MHL for providing those instructions.

Another lesson here is to not stick with one tool or one set of tools, but instead be open to finding and using a tool or technique that works, and incorporating it into your toolkit. While Perl has the Parse::Win32Registry module and Python does not appear to have something comparable, Python does have the pefile module (on which pescanner.py was built) and Perl does not have (to the best of my knowledge) a comparable module. So rather than fitting the case to the tool, it's often a much better idea (albeit not easier) to find a tool or technique that will help you with your case.

### SSD資料無法100%銷毀

SSD廠商沒有告訴你的真相：SSD資料難以完全刪除

Michael Wei是加州大學聖地牙哥分校專門研究SSD硬碟的非揮發系統實驗室（Non-Volatile Systems Laboratory，NVSL）的成員，NVSL研究團隊發現，使用美國空軍刪除資料的方法，來清除SSD上的一個1GB檔案，仍舊有5.8～7.3% 的資料可以回復，若是USB隨身碟，甚至最高可以回復63.5%的資料。

NVSL研究團隊測試了13種各國官方採用的資料銷燬方法，包括刪除軟體常見的Gutmann模式、英國的British HMG IS5模式、德國的German VSITR模式、俄羅斯的German VSITR模式等，甚是美國國防部US DoD 5220.22-M。他們在SSD硬碟和USB隨身碟上寫入一個1GB大小的檔案，利用這13種方法刪除後，仍然可以回復數十MB甚至上百MB的資料，沒有一種方法能有效地徹底抹除這個檔案。

SSD快閃記憶體儲存方式有三項限制

SSD寫入資料時最小的單位是Page，一個Page依SSD採用的快閃記憶體而有不同，可以是2,048、4,096或8,192Bit等，每次可以寫入1個Page的資料。但是，抹除資料時無法一次抹除1個Page的資料，而必須一整批Page同時抹除，這個整批抹除的單位就是Block，1個 Block通常是64或128個Page，也可以更多如128或256。

SSD與傳統硬碟大不
SSD存取資料的架構和傳統硬碟截然不同。SSD在檔案系統和實體資料儲存層之間，增加一個FTL層（Flash Translation Layer），FTL層會負責提供檔案系統和實體資料層之間的對應，讓作業系統仍舊看到和硬碟一樣的檔案系統，但是在實際儲存資料時，FTL層會將資料分散到不同的位置儲存，避免寫入動作集中在少數區域。

SSD寫入資料時，FTL層為了平均使用每一個內部位置，會移動實際儲存資料的位置，作業系統角度看到的位置，不一定是實際存放資料的位置和順序。但是，傳統硬碟沒有FTL，作業系統和硬碟實際位置相符。

SSD為效能和使用壽命而降低抹除可靠性

SSD硬碟
SSD的TRIM機制會先透過標記方式註明待刪除的資料無效，讓作業系統誤以為刪除完成，其實資料還在，就算多次寫入，也不一定能覆蓋。

FTL是黑盒子，隱藏資料遺漏的隱憂

NVSL研究團隊購買了12款常見的SSD，容量從32GB到120GB不等，包括使用MLC和SLC快閃記憶體的產品。他們自製了一個快閃記憶體讀取裝置，來避開FTL層的控制，直接取得實際儲存在快閃記憶體中的資訊，再測試各種不同的資料刪除情境和作法，來比較FTL層的影響，找出SSD資料刪除的問題。

NVSL的研究發現，如果使用低階磁碟控制指令ATA Command中的刪除指令，針對整顆SSD資料進行全面抹除，通常可以有效抹除資料，但是，不是每一款SSD都能正確支援這種指令，在NVSL的測試中也有一款SSD執行ATA刪除指令後，SSD只是註記刪除位置，而沒有實際抹除。

HDDerase僅能在DOS模式下運行，使用者能透過它執行Secure Erase指令。這套軟體能依照安全等級，執行共4種層級的抹除指令，依照等級排列為Normal File Deletion、DoD 5220 Block Erase、Secure Erase及NIST 800-88 Enhanced Secure Erase。

4種銷毀SSD資料的方法

SDD資料經過重複抹寫後，大多幾乎不可辨識。

SSD內的快閃記憶體遭擊碎後，資料幾乎確定無法復原。

SSD因為耐熱溫度低且面積小，透過打火機持續加熱快閃記憶體，即可破壞。

## Installation Prerequisites

In order to use Volatility, you will need to install a few prerequisite programs and packages.
Prerequisites

• Python 2.6 or greater, but not Python 3.0 Python 2.6 will be used in this guide
• Distorm (Malware Plugins, Volshell)
• Yara (Malware Plugins)
• PyCrypto (Core)
• Subversion Client. We recommend TortoiseSVN for Windows
• 7zip or an application that can unzip zip and gzip files
• MinGW or other C Compiler (for compiling Pycrypto library)

## Windows Installation

This covers how to install Volatility 1.4 on Windows.

### Python Installation

In order to use Volatility, you must first install Python. You should get version 2.6 for Windows. When you download the file, double-click to install and you will see the following security message. Just click Run.
Choose the appropriate install options. Most likely you will want to install for all users on the machine:
The installer will ask you where you would like to install the Python files, the default under C:\Python26 should be fine:
The installer will then give you the option for more advanced install options. Unless you know what you are doing, it will be best to leave all options enabled:
On Vista/Windows7 you may have to confirm that you want to install:
Hit “Next” and Python will now install. Hit “Finish” when installation completes:

#### Setting Environment Variables

After Python is installed, you should make sure that the Python extensions are registered. If you have a regular start menu, click on start and then right click on “Computer” and choose properties. If you have the classic start menu, just right click on “My Computer” and choose properties.
If you have Windows 7 you will see the following screen. Choose "Advanced System Settings". You should see the following (some personal details removed):
Make sure you are on the "Advanced" tab and choose "Environmental Variables":
On the next screen find the "Path" variable and click "Edit":
Click on the text and scroll all the way to the end. Append the path of our Python installation to the end of the existing Path variable. Where it says “Variable Value” go to the end of the line and add the following:
;C:\Python26
The semicolon separates our new Path location from the current values. If the location of your Python installation is different from the above, type the appropriate folder location instead.
Now we are ready to test that we have set up everything correctly. Open a command prompt by clicking on the "Start Menu" and clicking on "Run". For Windows 7, click "Start" and type "cmd" in the search text box and hit "Enter":
Type "python" into the command prompt. You should then see the Python header and command prompt >>> Type "quit()" to exit. If this works, Python is installed correctly.

### Installing Dependencies

#### Installing MinGW

Occasionally you will need a C/C++ compiler in order to install Python libraries. If you install Distorm3 or Pycrypto from source, you will need a compiler. Download the compiler from the Sourceforge site. Make sure you get the "ming-get-inst" installer as shown below:
Double click the installer. You should see the following picture. Hit Next to continue.
If you are running as Administrator you will see the following screen. Just hit Next.
You will have a choice to install the latest MinGW build or prepackaged binaries.
Accept the agreement.
Choose a location to install MinGW.
Keep accepting defaults until you get to the "Select Components" screen. Here you will need to make sure you have at least the C++ compiler checked as well as "MSYS Basic System" so you will have the "make" utility.
Hit Next. A black command prompt may appear as things are installing; just ignore it. If all goes well you will see the "Finish" screen. Just hit "Finish".
Add the "bin" directory of MinGW to your path like you did for Python. If you accepted the default installation directory the text to add would be:
;C:\MinGW\bin
You can test that this works by typing "gcc" plus "Enter" at the command line. You should see "gcc: no input files" if your path variable is set up correctly:

#### Installing Pycrypto

If you do not have a C compiler like MinGW installed, you can install a precompiled version of Pycrypto from www.voidspace.org.uk. If you installed MinGW as above you can install Pycrypto as follows.
To install from source, first go to the Pycrypto repository page. You can download a snapshot as a gzip file:
If you have 7zip installed, right click on the downloaded file and choose open 7zip->Open Archive:
Double click the tar file inside and click the "Extract" button.
Choose a location to extract the folder to:
Once the folder is extracted, open the command prompt and change directory into that folder. In this case, the folder was extracted onto the Desktop, so the command issued is:
cd Desktop\pycrypto-2.0.x
Once inside you can issue a "dir" command to make sure you have all the files, including "setup.py"
Type the following commands to install (wait until the first one finishes before typing the second one):
python setup.py build -c mingw32
python setup.py install
As long as you don't see any errors Pycrypto should be installed correctly.

#### Installing Distorm3

Distorm3 is used by several Malware plugins as well as the Core Volshell plugin. It's easiest to install the precompiled library for Python 2.6, which is the method shown here. Go to the Distorm Google Code page and download the distorm3-1.0.win32.zip which contains the library for Python 2.6. Unzip the file and navigate into the Python26\Lib\site-packages directory:
Copy all contents into your Python 2.6 library location, in this case C:\Python26\Lib\site-packages
You can check the installation by running python and importing distorm3. If you don't see any errors, distorm3 was installed correctly.

#### Installing Yara-Python 1.4a

Download the appropriate yara-python-1.4a.win32-py2.X.exe Windows installer. In this guide we will use yara-python-1.4a.win32-py2.6.exe. Double click the installer and click Next.
The installer should pick up your Python installation. If you have more than version of Python installed, choose the installation you will be using for Volatility.
Accept all defaults, hitting Next until complete. As long as there are no errors shown installation should be successful. You an always verify by running Python and typing "import yara"

### Installing TortoiseSVN

In order to get the source code for Volatility 1.4 from the repository, you will need a Subversion (SVN) client. You can download the client from http://tortoisesvn.net/downloads.html. Make sure to choose the correct installer:
Double click the installer and keep hitting next. Accept all defaults and accept the user agreement. Hit "Finish" when the installation completes.
You will be asked to restart your computer after TortoiseSVN is installed.
After restarting, you can verify that TortoiseSVN is installed correctly by right-clicking on the Desktop. If it is installed, you will see it in the menu:

### Installing Volatility 1.4 from SVN

Once you have a Subversion client installed, you can download the latest source code for Volatility 1.4 from the code repository. This guide will use TortoiseSVN. First create a folder where you want to keep the Volatility source code. For this guide we will create a folder "C:\Volatility 1.4". Go inside this folder and right-click, bringing up the menu options for TortoiseSVN. Choose "SVN Checkout":
Type the following url for the repository:
http://volatility.googlecode.com/svn/branches/Volatility-1.4_rc1
All other defaults should be fine, click OK. When the repository is finished downloading click OK to close out.
You should then see all the Volatility source code in the folder.
To use Volatility, open a command line and navigate to the Volatility source directory. In this case:
cd "c:\Volatility 1.4"
Then type:
python vol.py -h
You should see a long list of output that includes all of the plugins that are available. For more information on how to use Volatility check out BasicUsage and CommandReference