Skip to content

lmwashere/Volatility3_Docker_Builder

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 
setup_volatility3_docker.sh
setup_volatility3_docker.sh
 
 

Repository files navigation

Volatility3 Docker Builder

A single script that builds a fully portable Volatility3 memory forensics environment in Docker. The output is a self-contained folder you can copy to any machine running Docker — Linux, Mac, or Windows.

What it does

  1. Installs Docker if not already present (Fedora and Ubuntu supported)
  2. Clones the latest Volatility3 from GitHub and installs it with all optional dependencies (pycryptodome, capstone, yara-python, etc.)
  3. Pulls community plugins from volatilityfoundation/community3, validates them for compatibility, and merges them into the plugin directory
  4. Builds a multi-stage Docker image — final layer is a lean runtime with no build tools
  5. Exports the image as a .tar file for easy transfer
  6. Writes run wrapper scripts for Linux/Mac (vol3) and Windows (vol3.ps1)

Everything lands in a Volatility3/ folder next to the script:

Volatility3/
  volatility3.tar     — portable Docker image (load with: docker load -i volatility3.tar)
  vol3                — run wrapper for Linux/Mac
  vol3.ps1            — run wrapper for Windows (PowerShell)
  symbols/            — symbol cache, persists across runs
    windows/
    linux/
    mac/
  Dockerfile          — build source

Requirements

  • Fedora 40+ or Ubuntu 22.04+ (for the build machine)
  • Docker (installed automatically if missing)
  • Any machine with Docker to run the exported image on

Usage

bash setup_volatility3_docker.sh

Options

Flag Description
--bake-linux-symbols Download Linux symbol pack into image at build time (~300 MB)
--bake-mac-symbols Download Mac symbol pack into image at build time (~300 MB)
--no-community Skip community plugins
--image-name NAME Docker image name (default: volatility3)
--image-tag TAG Docker image tag (default: latest)

Running

Linux / Mac

./Volatility3/vol3 -f /path/to/dump.mem windows.info
./Volatility3/vol3 -f /path/to/dump.mem windows.pslist
./Volatility3/vol3 -f /path/to/dump.mem linux.bash
./Volatility3/vol3 --help

Windows (PowerShell)

.\Volatility3\vol3.ps1 -f C:\path\to\dump.mem windows.info
.\Volatility3\vol3.ps1 -f C:\path\to\dump.mem windows.pslist
.\Volatility3\vol3.ps1 --help

If PowerShell blocks the script, run once: Set-ExecutionPolicy -Scope CurrentUser RemoteSigned

The wrappers automatically:

  • Load the image from volatility3.tar if it isn't already loaded in Docker
  • Mount the directory containing your memory image at /memory
  • Mount the local symbols/ cache at /symbols

Transferring to another machine

  1. Copy the Volatility3/ folder to the target machine
  2. Run vol3 (or vol3.ps1) — it loads the image from the tarball automatically on first use

Or load manually:

docker load -i Volatility3/volatility3.tar

Symbol tables

Volatility3 requires OS-specific symbol tables (ISF files) to parse memory structures.

OS How symbols are obtained
Windows Fetched automatically from Microsoft's PDB server on first use, cached in symbols/windows/
Linux Download packs from volatilityfoundation.org or generate with dwarf2json. Use --bake-linux-symbols to include at build time.
Mac Same as Linux. Use --bake-mac-symbols to include at build time.

To add symbols manually, drop .json or .json.xz ISF files into the appropriate subdirectory:

cp my-kernel.json.xz Volatility3/symbols/linux/

Symbol files accumulate in symbols/ across runs and survive image rebuilds.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages