I added the Volatility python module in Home/.autopsy/dev/python_modules/Volatility/Volatility.py; I can see the .autopsy hidden folder in Nautilus, but in autopsy-4.17.0 I am unable to set the path to Vollatility.py. I have tried manually setting the path to:
.autopsy/dev/python_modules/Volatility/Volatility.py. but I get the error:
Have you checked out the Autopsy logs to see where it’s failing? Also, when you put Volatility.py in your path, can you confirm that you put it in ‘/home/<your_username>/.autopsy/dev/python_modules/Volatility/Volatility.py’ as I don’t see you specifying your username in the path. In theory ‘~/.autopsy’ should work but I’ve always specified the full path in this case.
Thank your for your response. Good point about not having a username in the path, I thought I tried it; maybe not. I did not check the log yet, but I will 01Nov21 am when I am on my Linux PC. Since this is likely a typo error, I didn’t think it would it would get that far.
Also, when I tried the browse icon to connect to Volatility.py, I can not see the .autopsy directory. Could this be a permissions issue?
What options are you specifying on the options panel for the plugin?
When I open the .autopsy plugins on Ubuntu 20.04, I see it added to the root profile; not my profile. I can see the .autopy with an elevated Nautilu, but when I use the “Volatility Executable Directory” browse button, all I can see is the snap directory.
I copied the .autopsy with the elevated Nautilu to my /home/MyUserName folder, closed Autopsy, reopened the case, but I get the same error.
Using only the “Volatility Dump File Module” with default option, I still can not see the .autopy directory that I copied and I get the same error typing the path "/home/MyUserName/.autopsy/dev/python_modules/Volatility/Volatility.py
I can now see the .autopsy directory in my /home/MyUserName directory after using “sudo su” and chomod 777 (and 757) with a non-elevated Nautilus, but I can not remove the lock from the dev directory. After rebooting, I can still see the see the .autopsy directory and sub directories witha with a non-elevated Nautilus, but the Autopsy-4.17.0 browse button does not see it and I still can not remove the lock from the dev directory.
In the “Volatility Executable Directory” using the browse button, under Root, in the “File Name” search box, if I type “autopsy” I can navigate to “Volatility.py”, but I get the same error using "Volatility Dump File Module or Volatility Convert Hiber/Crash Module or the Volatiltiy Module. I am using default settings
Traceback (most recent call last):
File “/root/.autopsy/dev/python_modules/Volatility/Volatility.py”, line 156, in startUp
Plugins = Plugins.replace("[", “”)
AttributeError: ‘NoneType’ object has no attribute ‘replace’
After Coping contents from Home/.autopsy/dev/python_modules/Volatility and coping to Autopsy 4.17.0 Python Plugins under Tools (root), I got “Volatility Convert Hiber/Crash Module” and “Volatility Module” to run to run without error and flag completed. I made many attempts to type full path and navigate path as root and MyUserName profiles; I am not sure what fixed the two.
I am still unable to set “Volatility Dump File” Module without getting “Error: Volatility Dump File Module: null” I have tried both full paths for root and "/Home/MyUserProfile/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py
No more error messages. I set path to: /home/MyUserProfile/Volatility3/vol.py
Instead of: /Home/MyUserProfile/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py