# Memory

## Installing Vol 2,3

<https://seanthegeek.net/1172/how-to-install-volatility-2-and-volatility-3-on-debian-ubuntu-or-kali-linux/>

## Installing Volatility

* &#x20;Python2

```bash
sudo apt install -y build-essential git libdistorm3-dev yara libraw1394-11 libcapstone-dev capstone-tool tzdata
sudo apt install -y python2 python2.7-dev libpython2-dev
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py
sudo python2 get-pip.py
sudo python2 -m pip install -U setuptools wheel
python2 -m pip install -U distorm3 yara pycrypto pillow openpyxl ujson pytz ipython capstone
sudo python2 -m pip install yara
sudo ln -s /usr/local/lib/python2.7/dist-packages/usr/lib/libyara.so /usr/lib/libyara.so
python2 -m pip install -U git+https://github.com/volatilityfoundation/volatility.git
```

* Python3

```bash
sudo apt install -y python3 python3-dev libpython3-dev python3-pip python3-setuptools python3-wheel
python3 -m pip install -U distorm3 yara pycrypto pillow openpyxl ujson pytz ipython capstone
python3 -m pip install -U git+https://github.com/volatilityfoundation/volatility3.git
```

## Convert between formats

The **qemu-img convert** command can do conversion between multiple formats, including `qcow2`, `qed`, `raw`, `vdi`, `vhd`, and `vmdk`.

```
qemu-img convert -f raw -O qcow2 image.img image.qcow2
```

> **Reference**: <https://docs.openstack.org/image-guide/convert-images.html>

## Create Volatility-2 Profile

* Determine OS and Kernel version

```bash
# vol3
.\vol.py -f PVE.vmem banner
# Or Using strings
```

```bash
git clone https://github.com/hanasuru/vol_profile_builder
cd vol_profile_builder
# Build volatility2 profile for Ubuntu Xenial (16.04) with 4.4.0-186-generic kernel
./build.sh 16.04 4.4.0-186-generic
```

Loading the profile

```bash
cp <Profile>.zip ~/tools/volatility/volatility/plugins/overlays/linux
# Verify
python  ~/tools/volatility/vol.py --info
```

## Create volatility-3 Profile

* <https://fahriguresci.com/create-specific-volatility-profile-and-symbol-table/>

Loading the profile

<pre><code><strong>cp &#x3C;Profile>.json /home/kali/.local/lib/python3.11/site-packages/volatility3/framework/symbols/linux/
</strong></code></pre>

## Command history

* Linux

```
linux_bash
limux_bash_hash
```

## Credentials Hunting

* **Environment Variables**
* **Lsass**
* **Notepad**&#x20;
* **Clipboard**&#x20;
* **Browser Password Managers**&#x20;
* **Cookies**