Compiling an up-to-date Standalone EXE of Volatility 2.6 in Windows

The Windows standalone exe version of Volatility 2.6 at https://www.volatilityfoundation.org/releases does not seem to contain all the latest Windows 10 profiles that are in the latest python source. All is not lost, you can compile your own standalone executable by following these simple steps.

Volatility 2.6 only works with Python 2.7 (and earlier) and ensure you download the 64 Bit version of the various installers.

  1. Install Python 2.7 – https://www.python.org/downloads/release/python-2717/ – Ensure you select the option to add python to your path.
  2. Install Visual C++ Compiler Package for Python – https://www.microsoft.com/en-gb/download/details.aspx?id=44266
  3. Install Visual C++ 2008 (x64) Redistributable – https://www.microsoft.com/en-gb/download/details.aspx?id=15336

At this point you may want to reboot to ensure everything is updated correctly.

4. Install PIL – you can find a link to the 64 Bit Install package at https://stackoverflow.com/questions/19244057/obtaining-pil-instead-of-pillow-for-python-2-7-64-bit-on-windows

5. Install PyCrypto – http://www.voidspace.org.uk/python/pycrypto-2.6.1/

6. Install Yara-Python – https://github.com/VirusTotal/yara-python/releases

7. Install Distorm3 – https://github.com/gdabah/distorm/releases/tag/v3.3.4

8. Once those installs are done launch Python and install OpenPyxl and Pyinstaller. With regards to Pyinstaller, I had issues with 3.6 so use 3.5 instead:

pip install OpenPyxl

pip install pyinstaller==3.5

9. Download and extract latest version of UPX – https://github.com/upx/upx/releases – this helps keep the size of the exe as small as possible. You will need to supply the path to the directory containing the UPX exe in the pyinstaller command.

10. Download and extract the latest version of volatility – https://github.com/volatilityfoundation/volatility

11. Then finally change in to the volatility directory and compile the exe:

pyinstaller –onefile –upx-dir /path/to/upx/directory pyinstaller.spec

When that is all complete you should have a compiled standalone version of Volatility in the dist folder. You can now run Volatility from the command line in Windows.

volatility.exe –info
Volatility Foundation Volatility Framework 2.6.1

Profiles

VistaSP0x64 – A Profile for Windows Vista SP0 x64
VistaSP0x86 – A Profile for Windows Vista SP0 x86
VistaSP1x64 – A Profile for Windows Vista SP1 x64
VistaSP1x86 – A Profile for Windows Vista SP1 x86
VistaSP2x64 – A Profile for Windows Vista SP2 x64
VistaSP2x86 – A Profile for Windows Vista SP2 x86
Win10x64 – A Profile for Windows 10 x64
Win10x64_10240_17770 – A Profile for Windows 10 x64 (10.0.10240.17770 / 2018-02-10)
Win10x64_10586 – A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23)
Win10x64_14393 – A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16)
Win10x64_15063 – A Profile for Windows 10 x64 (10.0.15063.0 / 2017-04-04)
Win10x64_16299 – A Profile for Windows 10 x64 (10.0.16299.0 / 2017-09-22)
Win10x64_17134 – A Profile for Windows 10 x64 (10.0.17134.1 / 2018-04-11)
Win10x64_17763 – A Profile for Windows 10 x64 (10.0.17763.0 / 2018-10-12)
Win10x64_18362 – A Profile for Windows 10 x64 (10.0.18362.0 / 2019-04-23)
Win10x86 – A Profile for Windows 10 x86
Win10x86_10240_17770 – A Profile for Windows 10 x86 (10.0.10240.17770 / 2018-02-10)
Win10x86_10586 – A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28)
Win10x86_14393 – A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16)
Win10x86_15063 – A Profile for Windows 10 x86 (10.0.15063.0 / 2017-04-04)
Win10x86_16299 – A Profile for Windows 10 x86 (10.0.16299.15 / 2017-09-29)
Win10x86_17134 – A Profile for Windows 10 x86 (10.0.17134.1 / 2018-04-11)
Win10x86_17763 – A Profile for Windows 10 x86 (10.0.17763.0 / 2018-10-12)
Win10x86_18362 – A Profile for Windows 10 x86 (10.0.18362.0 / 2019-04-23)
Win2003SP0x86 – A Profile for Windows 2003 SP0 x86
Win2003SP1x64 – A Profile for Windows 2003 SP1 x64
Win2003SP1x86 – A Profile for Windows 2003 SP1 x86
Win2003SP2x64 – A Profile for Windows 2003 SP2 x64
Win2003SP2x86 – A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 – A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 – A Profile for Windows 2008 R2 SP1 x64
Win2008R2SP1x64_23418 – A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win2008R2SP1x64_24000 – A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.24000 / 2016-04-09)
Win2008SP1x64 – A Profile for Windows 2008 SP1 x64
Win2008SP1x86 – A Profile for Windows 2008 SP1 x86
Win2008SP2x64 – A Profile for Windows 2008 SP2 x64
Win2008SP2x86 – A Profile for Windows 2008 SP2 x86
Win2012R2x64 – A Profile for Windows Server 2012 R2 x64
Win2012R2x64_18340 – A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13)
Win2012x64 – A Profile for Windows Server 2012 x64
Win2016x64_14393 – A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16)
Win7SP0x64 – A Profile for Windows 7 SP0 x64
Win7SP0x86 – A Profile for Windows 7 SP0 x86
Win7SP1x64 – A Profile for Windows 7 SP1 x64
Win7SP1x64_23418 – A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win7SP1x64_24000 – A Profile for Windows 7 SP1 x64 (6.1.7601.24000 / 2018-01-09)
Win7SP1x86 – A Profile for Windows 7 SP1 x86
Win7SP1x86_23418 – A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09)
Win7SP1x86_24000 – A Profile for Windows 7 SP1 x86 (6.1.7601.24000 / 2018-01-09)
Win81U1x64 – A Profile for Windows 8.1 Update 1 x64
Win81U1x86 – A Profile for Windows 8.1 Update 1 x86
Win8SP0x64 – A Profile for Windows 8 x64
Win8SP0x86 – A Profile for Windows 8 x86
Win8SP1x64 – A Profile for Windows 8.1 x64
Win8SP1x64_18340 – A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13)
Win8SP1x86 – A Profile for Windows 8.1 x86
WinXPSP1x64 – A Profile for Windows XP SP1 x64
WinXPSP2x64 – A Profile for Windows XP SP2 x64
WinXPSP2x86 – A Profile for Windows XP SP2 x86
WinXPSP3x86 – A Profile for Windows XP SP3 x86

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create your website at WordPress.com
Get started
%d bloggers like this: