8:50 p.m.
I am trying to develop a step-by-step guide for installation and use of
Volatility and Python in *Windows* as many of our users have a different
knowledge level.
I was wondering if anyone has any "best practice" guidelines for:
1. If you install Python, would it be preferable to change the Path in
Environment Variables to allow Python to be recognized by any directory?
2. Where should I install Volatility to (Python directory, it's own
directory)? Should this directory be "pathed" as well? I am trying to
reduce the complexity of the command line to run the program.
3. Is if preferable to have the memory image in any specific directory?
4. I am getting a warning, although can still get an output. The error is:
"c:\python26\forensics\win32\crashdump.py:31:31: DeprecationWarning: the sha
module is deprecated; use the hashlib module instead
import sha "
Any guidance would be appreciated.
Darren Sabourin
Forensic Analyst
Royal Canadian Mounted Police
Regina, Saskatchewan CANADA
ph. (306) 780-7334
10:05 p.m.
Responses inline...
On Nov 15, 2008, at 8:50 PM, STC wrote:
I am trying to develop a step-by-step guide for
installation and
use of Volatility and Python in Windows as many of our users have a
different knowledge level.
I was wondering if anyone has any "best practice" guidelines for:
1. If you install Python, would it be preferable to change the
Path in Environment Variables to allow Python to be recognized by
any directory?
Yes; I believe many installations of python do this by default (for
example ActiveState's). But it definitely helps to be able to run
python from anywhere.
2. Where should I install Volatility to (Python
directory, it's
own directory)? Should this directory be "pathed" as well? I am
trying to reduce the complexity of the command line to run the
program.
Right now it's preferable for Volatility to run from its own
directory. When plugins are loaded, the memory_plugins directory in
the current directory is searched for, so if you're running
volatility somewhere else, it won't find the plugins you've put in
the normal memory_plugins directory. The most common setup is to just
run Volatility from the directory you unpacked it into.
3. Is if preferable to have the memory image in any
specific
directory?
Somewhere easy to type :) Since you end up giving the path to every
command, it gets tiresome if the path to your memory images is 100
characters long. I personally use c:\memory_images\ on Windows, and ~/
memory_images on Linux.
4. I am getting a warning, although can still get an output. The
error is:
"c:\python26\forensics\win32\crashdump.py:31:31:
DeprecationWarning: the sha module is deprecated; use the hashlib
module instead
import sha "
Interesting, I haven't tried Volatility with Python 2.6 yet. Looking
at the module in question, I don't actually see anywhere that sha is
used. I'll make a note to look whether we can just remove that.
Any guidance would be appreciated.
Do you have any plans to release the guide to the general public?
Good documentation is always a welcome contribution!
Cheers,
Brendan Dolan-Gavitt
Darren Sabourin
Forensic Analyst
Royal Canadian Mounted Police
Regina, Saskatchewan CANADA
ph. (306) 780-7334
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
12:27 p.m.
I certainly could. The guide is meant to include many Live Memory products
that are currently available. I'm waiting for my F-Response shipment and
testing to push out a more complete guide. It's the type of guide that
would also welcome feedback and suggestions on "ways to do things better".
Stay tuned.
Darren Sabourin
On Sat, Nov 15, 2008 at 9:05 PM, Brendan Dolan-Gavitt <
bdolangavitt(a)wesleyan.edu> wrote:
Responses inline...
Any guidance would be appreciated.
Do you have any plans to release the guide to the general public? Good
documentation is always a welcome contribution!
Cheers,
Brendan Dolan-Gavitt
**
5842
days inactive
5842
days old
vol-users@lists.volatilityfoundation.org
2 comments
2 participants
participants (2)
-
Brendan Dolan-Gavitt -
STC