# Volatility2 Installation Guide for Kali Linux (ARM64) 2025

## Overview

This guide provides step-by-step instructions for installing Volatility2 with functional shellbags plugin on Kali Linux ARM64 architecture (Apple Silicon M2/M3 or other ARM-based systems).

**Tested on:**

* Kali Linux ARM64 (2025.x+)
* Python 2.7.18
* Architecture: aarch64

## Table of Contents

1. Prerequisites
2. Installation Steps
3. Verification
4. Usage Examples
5. Troubleshooting
6. Important Notes

## Prerequisites

#### Required System Packages

```bash
sudo apt update
sudo apt install -y python2 python2-dev git build-essential wget
```

#### Why These Packages?

* `python2` - Volatility2 requires Python 2.7 (deprecated but necessary)
* `python2-dev` - Development headers for compiling Python modules
* `git` - For cloning Volatility2 repository
* `build-essential` - Compiler tools (gcc, make, etc.)
* `wget` - For downloading pip installer

## Installation Steps

### Step 1: Install pip for Python 2.7

Since pip2 is no longer available in Kali's repositories, install it manually:

```bash
# Navigate to temporary directory
cd /tmp

# Download pip installer for Python 2.7
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py

# Install pip (ignore deprecation warnings)
sudo python2 get-pip.py
```

### Step 2: Fix setuptools and Install Dependencies

The key to making shellbags work is installing the correct versions of dependencies:

```bash
# Upgrade setuptools to compatible version
sudo python2 -m pip install --upgrade setuptools==44.1.1

# Install importlib (required for newer packages)
sudo python2 -m pip install importlib

# Install six (required by construct)
sudo python2 -m pip install six

# Install construct 2.5.5 (CRITICAL for shellbags to work)
sudo python2 -m pip install construct==2.5.5-reupload
```

**⚠️ IMPORTANT:** shellbags plugin REQUIRES `construct==2.5.5`. Newer versions (2.9+) are NOT compatible!

### Step 3: Install Additional Dependencies

```bash
# Install distorm3 (for disassembly)
sudo python2 -m pip install distorm3

# Install pycrypto (for cryptographic functions)
sudo python2 -m pip install pycrypto
```

**Note:** Some packages like `pycryptodome`, `yara-python`, `pillow`, `openpyxl`, and `ujson` may fail on Python 2.7 ARM64. They are optional and not required for shellbags functionality.

### Step 4: Clone and Install Volatility2

```bash
# Navigate to home directory
cd ~

# Clone Volatility2 repository
git clone https://github.com/volatilityfoundation/volatility.git

# Navigate to volatility directory
cd volatility

# Run Volatility2 directly (no installation needed)
python2 vol.py -h
```

## Verification

### Test Basic Functionality

```bash
cd ~/volatility

# Check version
python2 vol.py --version

# List available plugins
python2 vol.py --info | head -20

# Verify shellbags plugin exists
python2 vol.py --info | grep shellbags
```

**Expected output for shellbags:**

```
shellbags     Prints ShellBags info
```

### Test with Memory Dump

```bash
# Test with a memory dump file
python2 vol.py -f /path/to/memory.raw imageinfo

# Test shellbags plugin
python2 vol.py -f /path/to/memory.raw --profile=Win7SP1x64 shellbags
```

## Usage Examples

### Basic Commands

{% hint style="info" %}
Based on file `victim.raw` from THM Room Forensics
{% endhint %}

```bash
# Navigate to Volatility directory
cd ~/volatility

# Get image information
python2 vol.py -f victim.raw imageinfo

# List processes
python2 vol.py -f victim.raw --profile=Win7SP1x64 pslist

# Extract shellbags (folder access history)
python2 vol.py -f victim.raw --profile=Win7SP1x64 shellbags

# Save output to file
python2 vol.py -f victim.raw --profile=Win7SP1x64 shellbags > shellbags_output.txt

# Network connections
python2 vol.py -f victim.raw --profile=Win7SP1x64 netscan

# Malware detection
python2 vol.py -f victim.raw --profile=Win7SP1x64 malfind

# Environment variables for specific PID
python2 vol.py -f victim.raw --profile=Win7SP1x64 envars -p 1234
```

#### TryHackMe "Forensics" Room Cheatsheet

```bash
# Question 1.2 - OS Name
python2 vol.py -f victim.raw imageinfo

# Question 1.3 - PID of SearchIndexer
python2 vol.py -f victim.raw --profile=Win7SP1x64 pslist | grep SearchIndexer

# Question 1.4 - Last directory accessed (shellbags!)
python2 vol.py -f victim.raw --profile=Win7SP1x64 shellbags

# Question 2.1 - Suspicious ports
python2 vol.py -f victim.raw --profile=Win7SP1x64 netscan

# Question 2.2 - Malicious PIDs
python2 vol.py -f victim.raw --profile=Win7SP1x64 malfind

# Question 3.7 - Environmental variable for PID
python2 vol.py -f victim.raw --profile=Win7SP1x64 envars -p 2464
```

### Creating Aliases (Optional)

Add to your  `~/.zshrc` or `~/.bashrc`:

```bash
# Add alias for Volatility2
echo 'alias vol2="python2 ~/volatility/vol.py"' >> ~/.zshrc
source ~/.zshrc

# Now you can use:
vol2 -f memory.raw imageinfo
vol2 -f memory.raw --profile=Win7SP1x64 shellbags
```

## Troubleshooting

#### Problem: "No module named construct"

**Solution:**

```bash
sudo python2 -m pip install construct==2.5.5-reupload
```

#### Problem: "shellbags plugin not found"

**Solution:**

```bash
# Verify plugin exists
cd ~/volatility
python2 vol.py --info | grep shellbags

# If not found, reinstall Volatility
cd ~
rm -rf volatility
git clone https://github.com/volatilityfoundation/volatility.git
```

#### Problem: "AttributeError: 'module' object has no attribute..."

**Cause:** Wrong construct version (2.9+ instead of 2.5.5)

**Solution:**

```bash
# Uninstall wrong version
sudo python2 -m pip uninstall construct

# Install correct version
sudo python2 -m pip install construct==2.5.5-reupload

# Verify
python2 -c "import construct; print(construct.__version__)"
```

#### Problem: "ImportError: No module named importlib"

**Solution:**

```bash
sudo python2 -m pip install --upgrade setuptools==44.1.1
sudo python2 -m pip install importlib
```

#### Problem: Icons appearing on desktop

**Cause:** Installation process may create `.desktop` files or logs

**Solution:**

```bash
# Check what files appeared
ls -la ~/Desktop/

# Remove unwanted files (if they are installation artifacts)
rm ~/Desktop/*.desktop
# or remove specific files
```

#### Problem: Permission denied errors

**Solution:** Use `sudo` for system-wide installation:

```bash
sudo python2 -m pip install [package]
```

## Side Notes

#### About /tmp Directory

We use `/tmp` for temporary downloads (like `get-pip.py`) beacuse `/tmp` is cleaned on system reboot and  keeps your home directory clean

It's best practice for installer files.

#### Python 2.7 Deprecation

⚠️ **Warning:** Python 2.7 reached end-of-life on January 1, 2020. It is no longer maintained.

Use Python 2.7 ONLY for Volatility2 - for new projects, use Volatility3 with Python 3

{% hint style="info" %}
**Volatility2** is still necessary for some legacy plugins like shellbags or to solve some older THM rooms or other CTF's competitions so **keep it in your DFIR arsenal!**
{% endhint %}

#### Security Considerations

* Only analyze memory dumps from trusted sources
* Memory dumps may contain sensitive data (passwords, keys)
* Use isolated VM for malware analysis
* Never run Volatility2 on production systems

#### Performance Tips

```bash
# Save imageinfo output to avoid repeated scans
python2 vol.py -f memory.raw imageinfo > imageinfo.txt

# Use specific profile instead of imageinfo each time
python2 vol.py -f memory.raw --profile=Win7SP1x64 [plugin]

# Redirect output to file for large results
python2 vol.py -f memory.raw --profile=Win7SP1x64 pslist > processes.txt
```

### Additional Resources

#### Official Documentation

* [Volatility2 GitHub](https://github.com/volatilityfoundation/volatility)
* [Volatility2 Command Reference](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference)
* [Volatility Foundation](https://www.volatilityfoundation.org/)

#### TryHackMe room:

* <https://tryhackme.com/room/forensics>

#### Alternative Tools

* **Volatility3** - Modern version with Python 3 support
* **RegRipper** - Registry analysis tool (can parse shellbags from exported hives)
* **ShellBagsExplorer** - Eric Zimmerman's GUI tool for shellbags analysis (Windows only)

### Changelog

* **v1.0** (2024) - Initial guide for Kali Linux ARM64
  * Python 2.7 installation via get-pip.py
  * construct 2.5.5 for shellbags compatibility
  * Tested on Apple Silicon (M2/M3) Kali Linux

**Author:** TryHard3r\
**Last Updated:** November 2025\
**Platform:** Kali Linux ARM64 (aarch64)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://try-hard3r.gitbook.io/try-hard3r-blog/cyber-articles-and-reviews/volatility2-installation-guide-for-kali-linux-arm64-2025.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.