How to Install and Uninstall volatility Package on Ubuntu 16.04 LTS (Xenial Xerus)
Last updated: May 19,2024
1. Install "volatility" package
Learn how to install volatility on Ubuntu 16.04 LTS (Xenial Xerus)
$
sudo apt update
Copied
$
sudo apt install
volatility
Copied
2. Uninstall "volatility" package
Please follow the instructions below to uninstall volatility on Ubuntu 16.04 LTS (Xenial Xerus):
$
sudo apt remove
volatility
Copied
$
sudo apt autoclean && sudo apt autoremove
Copied
3. Information about the volatility package on Ubuntu 16.04 LTS (Xenial Xerus)
Package: volatility
Priority: optional
Section: universe/utils
Installed-Size: 15486
Maintainer: Ubuntu Developers
Original-Maintainer: Debian Forensics
Architecture: all
Version: 2.5-1
Depends: python2.7, python:any (<< 2.8), python:any (>= 2.7.5-5~), python-crypto, python-distorm3, python-imaging, python-openpyxl, python-tz, python-yara, volatility-tools (>= 2.4.1-1)
Suggests: lime-forensics-dkms, libraw1394-11
Filename: pool/universe/v/volatility/volatility_2.5-1_all.deb
Size: 787198
MD5sum: 7f2e053d93171a02053c5ce283ef65a9
SHA1: a4eba492dc71ce62c3a4a1ebb7537640e3cff8d6
SHA256: f242c2c1072a44f63cf97c372f33c2b581fd30191d113f21295e51433a9f73f6
Description-en: advanced memory forensics framework
The Volatility Framework is a completely open collection of tools for
the extraction of digital artifacts from volatile memory (RAM) samples.
It is useful in forensics analysis. The extraction techniques are
performed completely independent of the system being investigated but
offer unprecedented visibility into the runtime state of the system.
.
Volatility supports memory dumps from all major 32- and 64-bit Windows
versions and service packs. Whether your memory dump is in raw format,
a Microsoft crash dump, hibernation file, or virtual machine snapshot,
Volatility is able to work with it.
.
Linux memory dumps in raw or LiME format are supported too. There are
several plugins for analyzing memory dumps from 32- and 64-bit Linux
kernels and relevant distributions such as Debian, Ubuntu, OpenSuSE,
RedHat, Fedora, CentOS, Mandriva, etc.
.
Volatility also support several versions of Mac OSX memory dumps, both
32- and 64-bit. Android phones with ARM processors are also supported.
.
These are some of the data that can be extracted from a memory image:
- Image information (date, time, CPU count);
- Running processes;
- Open network sockets and connections;
- OS kernel modules loaded;
- Memory maps for each process;
- Executables samples;
- Command history;
- Suspicious process mappings (i.e. injected code);
- Passwords, as LM/NTLM hashes and LSA secrets;
- Cached Truecrypt passphrases;
- Others.
.
Current version (2.5) supports investigations of the memory images from
these operational systems:
- 64-bit Windows Server 2012 and 2012 R2
- 32- and 64-bit Windows 10 (initial/basic support)
- 32- and 64-bit Windows 8, 8.1, and 8.1 Update 1
- 32- and 64-bit Windows 7 (all service packs)
- 32- and 64-bit Windows Server 2008 (all service packs)
- 64-bit Windows Server 2008 R2 (all service packs)
- 32- and 64-bit Windows Vista (all service packs)
- 32- and 64-bit Windows Server 2003 (all service packs)
- 32- and 64-bit Windows XP (SP2 and SP3)
- 32- and 64-bit Linux kernels from 2.6.11 to 4.2.3
- 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which
isn't supported)
- 32- and 64-bit 10.6.x Snow Leopard
- 32- and 64-bit 10.7.x Lion
- 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
- 64-bit 10.9.x Mavericks (there is no 32-bit version)
- 64-bit 10.10.x Yosemite (there is no 32-bit version)
- 64-bit 10.11.x El Capitan (there is no 32-bit version)
.
Volatility supports a variety of sample file formats:
- Raw/Padded Physical Memory;
- Firewire (IEEE 1394);
- Expert Witness (EWF);
- 32- and 64-bit Windows Crash Dump;
- 32- and 64-bit Windows Hibernation;
- 32- and 64-bit MachO files;
- Virtualbox Core Dumps;
- VMware Saved State (.vmss) and Snapshot (.vmsn);
- HPAK Format (FastDump);
- QEMU memory dumps.
Description-md5: 8465ad638aea08e250ec4819b0a6b43b
Homepage: http://www.volatilityfoundation.org
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
Priority: optional
Section: universe/utils
Installed-Size: 15486
Maintainer: Ubuntu Developers
Original-Maintainer: Debian Forensics
Architecture: all
Version: 2.5-1
Depends: python2.7, python:any (<< 2.8), python:any (>= 2.7.5-5~), python-crypto, python-distorm3, python-imaging, python-openpyxl, python-tz, python-yara, volatility-tools (>= 2.4.1-1)
Suggests: lime-forensics-dkms, libraw1394-11
Filename: pool/universe/v/volatility/volatility_2.5-1_all.deb
Size: 787198
MD5sum: 7f2e053d93171a02053c5ce283ef65a9
SHA1: a4eba492dc71ce62c3a4a1ebb7537640e3cff8d6
SHA256: f242c2c1072a44f63cf97c372f33c2b581fd30191d113f21295e51433a9f73f6
Description-en: advanced memory forensics framework
The Volatility Framework is a completely open collection of tools for
the extraction of digital artifacts from volatile memory (RAM) samples.
It is useful in forensics analysis. The extraction techniques are
performed completely independent of the system being investigated but
offer unprecedented visibility into the runtime state of the system.
.
Volatility supports memory dumps from all major 32- and 64-bit Windows
versions and service packs. Whether your memory dump is in raw format,
a Microsoft crash dump, hibernation file, or virtual machine snapshot,
Volatility is able to work with it.
.
Linux memory dumps in raw or LiME format are supported too. There are
several plugins for analyzing memory dumps from 32- and 64-bit Linux
kernels and relevant distributions such as Debian, Ubuntu, OpenSuSE,
RedHat, Fedora, CentOS, Mandriva, etc.
.
Volatility also support several versions of Mac OSX memory dumps, both
32- and 64-bit. Android phones with ARM processors are also supported.
.
These are some of the data that can be extracted from a memory image:
- Image information (date, time, CPU count);
- Running processes;
- Open network sockets and connections;
- OS kernel modules loaded;
- Memory maps for each process;
- Executables samples;
- Command history;
- Suspicious process mappings (i.e. injected code);
- Passwords, as LM/NTLM hashes and LSA secrets;
- Cached Truecrypt passphrases;
- Others.
.
Current version (2.5) supports investigations of the memory images from
these operational systems:
- 64-bit Windows Server 2012 and 2012 R2
- 32- and 64-bit Windows 10 (initial/basic support)
- 32- and 64-bit Windows 8, 8.1, and 8.1 Update 1
- 32- and 64-bit Windows 7 (all service packs)
- 32- and 64-bit Windows Server 2008 (all service packs)
- 64-bit Windows Server 2008 R2 (all service packs)
- 32- and 64-bit Windows Vista (all service packs)
- 32- and 64-bit Windows Server 2003 (all service packs)
- 32- and 64-bit Windows XP (SP2 and SP3)
- 32- and 64-bit Linux kernels from 2.6.11 to 4.2.3
- 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which
isn't supported)
- 32- and 64-bit 10.6.x Snow Leopard
- 32- and 64-bit 10.7.x Lion
- 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
- 64-bit 10.9.x Mavericks (there is no 32-bit version)
- 64-bit 10.10.x Yosemite (there is no 32-bit version)
- 64-bit 10.11.x El Capitan (there is no 32-bit version)
.
Volatility supports a variety of sample file formats:
- Raw/Padded Physical Memory;
- Firewire (IEEE 1394);
- Expert Witness (EWF);
- 32- and 64-bit Windows Crash Dump;
- 32- and 64-bit Windows Hibernation;
- 32- and 64-bit MachO files;
- Virtualbox Core Dumps;
- VMware Saved State (.vmss) and Snapshot (.vmsn);
- HPAK Format (FastDump);
- QEMU memory dumps.
Description-md5: 8465ad638aea08e250ec4819b0a6b43b
Homepage: http://www.volatilityfoundation.org
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
4. References on Ubuntu 16.04 LTS (Xenial Xerus)
5. The same packages on other Linux Distributions
Popular Linux Distros
Ubuntu
Arch
Linux Mint
Fedora
Kali Linux
Debian
openSuSE
CentOS
Oracle Linux
Rocky Linux
Manjaro
AlmaLinux
Amazon Linux
Red Hat Enterprise Linux