Volatility2 Installation Guide for Kali Linux (ARM64) 2025

Full walkthrough how to install Volatility2 on Kali Linux in 2025

Overview

This guide provides step-by-step instructions for installing Volatility2 with functional shellbags plugin on Kali Linux ARM64 architecture (Apple Silicon M2/M3 or other ARM-based systems).

Tested on:

• Kali Linux ARM64 (2025.x+)

• Python 2.7.18

• Architecture: aarch64

Table of Contents

1. Prerequisites

2. Installation Steps

3. Verification

4. Usage Examples

5. Troubleshooting

6. Important Notes

Prerequisites

Required System Packages

sudo apt update
sudo apt install -y python2 python2-dev git build-essential wget

Why These Packages?

• python2 - Volatility2 requires Python 2.7 (deprecated but necessary)

• python2-dev - Development headers for compiling Python modules

• git - For cloning Volatility2 repository

• build-essential - Compiler tools (gcc, make, etc.)

• wget - For downloading pip installer

Installation Steps

Step 1: Install pip for Python 2.7

Since pip2 is no longer available in Kali's repositories, install it manually:

# Navigate to temporary directory
cd /tmp

# Download pip installer for Python 2.7
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py

# Install pip (ignore deprecation warnings)
sudo python2 get-pip.py

Step 2: Fix setuptools and Install Dependencies

The key to making shellbags work is installing the correct versions of dependencies:

# Upgrade setuptools to compatible version
sudo python2 -m pip install --upgrade setuptools==44.1.1

# Install importlib (required for newer packages)
sudo python2 -m pip install importlib

# Install six (required by construct)
sudo python2 -m pip install six

# Install construct 2.5.5 (CRITICAL for shellbags to work)
sudo python2 -m pip install construct==2.5.5-reupload

⚠️ IMPORTANT: shellbags plugin REQUIRES construct==2.5.5. Newer versions (2.9+) are NOT compatible!

Step 3: Install Additional Dependencies

# Install distorm3 (for disassembly)
sudo python2 -m pip install distorm3

# Install pycrypto (for cryptographic functions)
sudo python2 -m pip install pycrypto

Note: Some packages like pycryptodome, yara-python, pillow, openpyxl, and ujson may fail on Python 2.7 ARM64. They are optional and not required for shellbags functionality.

Step 4: Clone and Install Volatility2

# Navigate to home directory
cd ~

# Clone Volatility2 repository
git clone https://github.com/volatilityfoundation/volatility.git

# Navigate to volatility directory
cd volatility

# Run Volatility2 directly (no installation needed)
python2 vol.py -h

Verification

Test Basic Functionality

cd ~/volatility

# Check version
python2 vol.py --version

# List available plugins
python2 vol.py --info | head -20

# Verify shellbags plugin exists
python2 vol.py --info | grep shellbags

Expected output for shellbags:

shellbags     Prints ShellBags info

Test with Memory Dump

# Test with a memory dump file
python2 vol.py -f /path/to/memory.raw imageinfo

# Test shellbags plugin
python2 vol.py -f /path/to/memory.raw --profile=Win7SP1x64 shellbags

Usage Examples

Basic Commands

Based on file victim.raw from THM Room Forensics

# Navigate to Volatility directory
cd ~/volatility

# Get image information
python2 vol.py -f victim.raw imageinfo

# List processes
python2 vol.py -f victim.raw --profile=Win7SP1x64 pslist

# Extract shellbags (folder access history)
python2 vol.py -f victim.raw --profile=Win7SP1x64 shellbags

# Save output to file
python2 vol.py -f victim.raw --profile=Win7SP1x64 shellbags > shellbags_output.txt

# Network connections
python2 vol.py -f victim.raw --profile=Win7SP1x64 netscan

# Malware detection
python2 vol.py -f victim.raw --profile=Win7SP1x64 malfind

# Environment variables for specific PID
python2 vol.py -f victim.raw --profile=Win7SP1x64 envars -p 1234

TryHackMe "Forensics" Room Cheatsheet

# Question 1.2 - OS Name
python2 vol.py -f victim.raw imageinfo

# Question 1.3 - PID of SearchIndexer
python2 vol.py -f victim.raw --profile=Win7SP1x64 pslist | grep SearchIndexer

# Question 1.4 - Last directory accessed (shellbags!)
python2 vol.py -f victim.raw --profile=Win7SP1x64 shellbags

# Question 2.1 - Suspicious ports
python2 vol.py -f victim.raw --profile=Win7SP1x64 netscan

# Question 2.2 - Malicious PIDs
python2 vol.py -f victim.raw --profile=Win7SP1x64 malfind

# Question 3.7 - Environmental variable for PID
python2 vol.py -f victim.raw --profile=Win7SP1x64 envars -p 2464

Creating Aliases (Optional)

Add to your ~/.zshrc or ~/.bashrc:

# Add alias for Volatility2
echo 'alias vol2="python2 ~/volatility/vol.py"' >> ~/.zshrc
source ~/.zshrc

# Now you can use:
vol2 -f memory.raw imageinfo
vol2 -f memory.raw --profile=Win7SP1x64 shellbags

Troubleshooting

Problem: "No module named construct"

Solution:

sudo python2 -m pip install construct==2.5.5-reupload

Problem: "shellbags plugin not found"

Solution:

# Verify plugin exists
cd ~/volatility
python2 vol.py --info | grep shellbags

# If not found, reinstall Volatility
cd ~
rm -rf volatility
git clone https://github.com/volatilityfoundation/volatility.git

Problem: "AttributeError: 'module' object has no attribute..."

Cause: Wrong construct version (2.9+ instead of 2.5.5)

Solution:

# Uninstall wrong version
sudo python2 -m pip uninstall construct

# Install correct version
sudo python2 -m pip install construct==2.5.5-reupload

# Verify
python2 -c "import construct; print(construct.__version__)"

Problem: "ImportError: No module named importlib"

Solution:

sudo python2 -m pip install --upgrade setuptools==44.1.1
sudo python2 -m pip install importlib

Problem: Icons appearing on desktop

Cause: Installation process may create .desktop files or logs

Solution:

# Check what files appeared
ls -la ~/Desktop/

# Remove unwanted files (if they are installation artifacts)
rm ~/Desktop/*.desktop
# or remove specific files

Problem: Permission denied errors

Solution: Use sudo for system-wide installation:

sudo python2 -m pip install [package]

Side Notes

About /tmp Directory

We use /tmp for temporary downloads (like get-pip.py) beacuse /tmp is cleaned on system reboot and keeps your home directory clean

It's best practice for installer files.

Python 2.7 Deprecation

⚠️ Warning: Python 2.7 reached end-of-life on January 1, 2020. It is no longer maintained.

Use Python 2.7 ONLY for Volatility2 - for new projects, use Volatility3 with Python 3

Volatility2 is still necessary for some legacy plugins like shellbags or to solve some older THM rooms or other CTF's competitions so keep it in your DFIR arsenal!

Security Considerations

• Only analyze memory dumps from trusted sources

• Memory dumps may contain sensitive data (passwords, keys)

• Use isolated VM for malware analysis

• Never run Volatility2 on production systems

Performance Tips

# Save imageinfo output to avoid repeated scans
python2 vol.py -f memory.raw imageinfo > imageinfo.txt

# Use specific profile instead of imageinfo each time
python2 vol.py -f memory.raw --profile=Win7SP1x64 [plugin]

# Redirect output to file for large results
python2 vol.py -f memory.raw --profile=Win7SP1x64 pslist > processes.txt

Additional Resources

Official Documentation

• Volatility2 GitHub

• Volatility2 Command Reference

• Volatility Foundation

TryHackMe room:

• https://tryhackme.com/room/forensics

Alternative Tools

• Volatility3 - Modern version with Python 3 support

• RegRipper - Registry analysis tool (can parse shellbags from exported hives)

• ShellBagsExplorer - Eric Zimmerman's GUI tool for shellbags analysis (Windows only)

Changelog

• v1.0 (2024) - Initial guide for Kali Linux ARM64

  • Python 2.7 installation via get-pip.py

  • construct 2.5.5 for shellbags compatibility

  • Tested on Apple Silicon (M2/M3) Kali Linux

Author: TryHard3r Last Updated: November 2025 Platform: Kali Linux ARM64 (aarch64)