Question: Recently, I was installing Linux Memory Extractor (LiME) to acquire memory dump on CentOS virtual machine, including the Volatile memory. Once I have the dump, it can be analyzed using Volatility software to investigate volatile memory for a forensic operation. Unfortunately, the installation failed with an error message as ‘Importerror: No module named Crypto.Hash‘. I guess, it’s something to do with Cryptographic library, but not sure which library or package should be installed. Any suggestion or a help would be appreciated.
The below is the complete error message :
*** Failed to import volatility.plugins.malware.svcscan (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.lsadump (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.shellbags (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.registryapi (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.evtlogs (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.shimcache (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash)
Answer:
Your guess was right! The program is looking for PyCrypto module – a library that is used by some of the registry plugins like lsadump. You will see this error message when using any of the plugins, however. If you are not using lsadump, hashdump or any other registry plugin that uses PyCrypto, then you can safely ignore the error message. Otherwise, install PyCrypto and the message will disappear.
You can find the binaries of PyCrypto here. But these binaries are mostly for windows. If you are using Linux, then you can install PyCrypto using PIP (Package Management system to install and manage software packages written in Python). Learn how to Install Python PIP.
Run the below command to install PyCrypto using PIP.
[root@openstack volatility-2.4]# pip install pycrypto
Collecting pycrypto
/usr/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Using cached pycrypto-2.6.1.tar.gz
Building wheels for collected packages: pycrypto
Running setup.py bdist_wheel for pycrypto
Complete output from command /usr/bin/python -c "import setuptools;__file__='/tmp/pip-build-kCt2lm/pycrypto/setup.py';exec(compile(open(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" bdist_wheel -d /tmp/tmpYSKGXJpip-wheel-:
usage: -c [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
or: -c --help [cmd1 cmd2 ...]
or: -c --help-commands
or: -c cmd --help
error: invalid command 'bdist_wheel'
----------------------------------------
Failed building wheel for pycrypto
Failed to build pycrypto
Installing collected packages: pycrypto
Running setup.py install for pycrypto
Successfully installed pycrypto-2.6.1
Now you have successfully installed PyCrypto Library. Volatility software running should work as well.