ldo-cert / orochi Goto Github PK
View Code? Open in Web Editor NEWThe Volatility Collaborative GUI
License: MIT License
The Volatility Collaborative GUI
License: MIT License
If some proxy is blocking git protocol, better use https for git clone repositories
https://volatility3.readthedocs.io/en/latest/volatility.plugins.timeliner.html?highlight=timeline
from cli sample output:
[ { "Accessed Date": null, "Changed Date": null, "Created Date": null, "Description": "Process: System (2185005104)", "Modified Date": null, "Plugin": "PsList", "__children": [] }, { "Accessed Date": null, "Changed Date": null, "Created Date": "2010-10-29T17:08:53", "Description": "Process: smss.exe (2181951520)", "Modified Date": null, "Plugin": "PsList", "__children": [] }, { "Accessed Date": null, "Changed Date": null, "Created Date": "2010-10-29T17:08:54", "Description": "Process: csrss.exe (2182753696)", "Modified Date": null, "Plugin": "PsList", "__children": [] }, { "Accessed Date": null, "Changed Date": null, "Created Date": "2010-10-29T17:08:54", "Description": "Process: winlogon.exe (2178569808)", "Modified Date": null, "Plugin": "PsList", "__children": [] }, {
From doc: An enumeration.
ACCESSED= 3
CHANGED= 4
CREATED= 1
MODIFIED= 2
So using elastic would be useful put all these info using the date and visualize the rows, maybe changing colour depending on date type:
Example:
don't fire and forget!
Plugin Usage:
At this point, check to see if any known malware is on the system, and to do so use ClamAV.
Then calculate hash of all dumped files and search on Virustotal.
At the end from GUI show list of dumped files with details of scan
django.db.utils.ProgrammingError: relation "users_user" does not exist
LINE 1: ...ers_user"."date_joined", "users_user"."name" FROM "users_use...
^
If it's running there is no restart button, at the moment you must ask to change the status in admin.
volatilityfoundation/volatility3#319
Done with eb065aa
Hey, I've followed the steps listed under the installation process, and when I ran the "docker-compose up" everything worked fine other than the Django docker. It exited immediately.
I ran "docker logs orochi_django" to check why might it exited, and I saw this:
Can you help me understand why it happened and fix this issue?
Now:
from cli run registry.hivelist
from cli run registry.hivedump
run registry explorer (https://f001.backblazeb2.com/file/EricZimmermanTools/RegistryExplorer_RECmd.zip) and open hive
We can evaluate regipy (https://pypi.org/project/regipy/) or python-registry (https://github.com/williballenthin/python-registry) and see if able to parse all hives dumped with hivedump and put results (json) on ES.
TODO LIST:
If admin doesn't set 'dump' value for plugins support it, when the users run plugins receiving error 'dump' and have to rerun again (selecting or not the dump checkbox)
In resubmit you can specify parameter in json eg:
{"dump": true}
In the gui custom file field are added for file related parameters but this is not yet possibile via api
Hi!
I have uploaded the dump, created the index. All good so far. Then I want to run some of the plugins. None of them return any data. When looking at the output I see two buttons to the top right, one indicating a rehash/refresh (yellow reload) and the other is a red (btn btn-sm btn-outline-danger btn-log) and when clicking that I only get the text: "Windows kernel symbols" in red. I guess this means that there's something wrong with the Windows kernel symbols (maybe create a more informative error message...?). I ran symbols_sync after installation:
Starting orochi_postgres ...
Starting orochi_mailhog ... done
PostgreSQL is available
/usr/local/lib/python3.8/site-packages/requests/__init__.py:89: RequestsDependencyWarning: urllib3 (1.26.0) or chardet (3.0.4) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "
Local hash: None
Remote hash: {'windows.zip': '7ae5225fa542d043af31fb3b9f5863de', 'mac.zip': '8b111c0ea5a1dd9309cf7e79ec2c6816', 'linux.zip': '029662b9e190e8d72b7b09da19015808'}
Hashes for windows.zip are different - downloading
Removing path /src/volatility/volatility/symbols/windows.
Starting download of zip symbols windows.zip.
Download of zip symbols completed for windows.zip.
Hashes for mac.zip are different - downloading
Removing path /src/volatility/volatility/symbols/mac.
Starting download of zip symbols mac.zip.
Download of zip symbols completed for mac.zip.
Hashes for linux.zip are different - downloading
Removing path /src/volatility/volatility/symbols/linux.
Starting download of zip symbols linux.zip.
Download of zip symbols completed for linux.zip.
Updating local hashes
Clearing cache
And if I run it now:
$ docker-compose run --rm django python manage.py symbols_sync
Starting orochi_mailhog ... done
PostgreSQL is availables ... done
/usr/local/lib/python3.8/site-packages/requests/__init__.py:89: RequestsDependencyWarning: urllib3 (1.26.0) or chardet (3.0.4) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "
Local hash: {'windows.zip': '7ae5225fa542d043af31fb3b9f5863de', 'mac.zip': '8b111c0ea5a1dd9309cf7e79ec2c6816', 'linux.zip': '029662b9e190e8d72b7b09da19015808'}
Remote hash: {'windows.zip': '7ae5225fa542d043af31fb3b9f5863de', 'mac.zip': '8b111c0ea5a1dd9309cf7e79ec2c6816', 'linux.zip': '029662b9e190e8d72b7b09da19015808'}
Hashes for windows.zip are equal - skipping
Hashes for mac.zip are equal - skipping
Hashes for linux.zip are equal - skipping
When looking at the output from the different workers I can see quite a lot of these warning messages:
worker01_1 | WARNING 2020-11-11 08:26:06,107 __init__ 367 139935630337792 Automagic exception occurred: TypeError: super() argument 1 must be type, not Enumeration
in order to don't set manually proxy in all Dockerfile
Regarding volatility symbols, 2 possibilities:
This to do not donwload symbols every time building docker images and save time.
In order to avoid the plugins_sync every time an user is created
Manage zipped dumps to speed up the upload process.
As we did for Windows #30 , need do similar for Linux and Mac, when plugins will support dumping of files.
We need to decide what to support and then check if is working properly
done with 98a8815
If plugin banner that returns kernel version of linux/mac does't match the kernels contained in symbols, try to download the kernel source and create the correct symbol
Tried all AMF_MemorySamples\mac but no results
Some input are considered as integer but they are to big to be an int.
Since I don't specify index structure I need to find a way to manage this.
In order to easy deploy application on dask existing nodes it will be useful to provide the env with all required files and lib.
Add possibility to bookmark rows adding also some comment.
So analyst load dump(s), runs plugins, does some searches, then saves view with interesting rows.
scheduler_1 | distributed.scheduler - INFO - Receive client connection: Client-021de394-aeee-11ea-803a-0242ac12000a
scheduler_1 | distributed.core - INFO - Starting established connection
django | DEBUG 2020-06-15 09:53:04,931 client 58 139970993960704 Started scheduling coroutines. Synchronized
django | DEBUG 2020-06-15 09:53:04,932 client 58 139972761442048 Submit unzip_then_run(...), unzip_then_run-f79d3136cecb2d2f1b6997f6894743fd
django | DEBUG 2020-06-15 09:53:04,935 client 58 139970993960704 Release key unzip_then_run-f79d3136cecb2d2f1b6997f6894743fd
worker02_1 | DEBUG 2020-06-15 09:53:04,937 worker 45 139629552719680 Execute key: unzip_then_run-f79d3136cecb2d2f1b6997f6894743fd worker: tcp://172.18.0.4:32847
postgres | 2020-06-15 09:53:04.942 UTC [183] ERROR: insert or update on table "website_result" violates foreign key constraint "website_result_dump_id_e0d4660f_fk_website_dump_id"
postgres | 2020-06-15 09:53:04.942 UTC [183] DETAIL: Key (dump_id)=(5) is not present in table "website_dump".
postgres | 2020-06-15 09:53:04.942 UTC [183] STATEMENT: INSERT INTO "website_result" ("dump_id", "plugin_id", "result", "description") VALUES (5, 42, 0, NULL) RETURNING "website_result"."id"
worker02_1 | WARNING 2020-06-15 09:53:04,944 worker 45 139629552719680 Compute Failed
worker02_1 | Function: unzip_then_run
worker02_1 | args: (<Dump: linux_amf_6>, 'http://es01:9200')
worker02_1 | kwargs: {}
worker02_1 | Exception: IntegrityError('insert or update on table "website_result" violates foreign key constraint "website_result_dump_id_e0d4660f_fk_website_dump_id"\nDETAIL: Key (dump_id)=(5) is not present in table "website_dump".\n')
worker02_1 |
worker02_1 | DEBUG 2020-06-15 09:53:04,944 worker 45 139629552719680 Send compute response to scheduler: unzip_then_run-f79d3136cecb2d2f1b6997f6894743fd, {'status': 'error', 'exception': <Serialize: insert or update on table "website_result" violates foreign key constraint "website_result_dump_id_e0d4660f_fk_website_dump_id"
worker02_1 | DETAIL: Key (dump_id)=(5) is not present in table "website_dump".
worker02_1 | >, 'traceback': <Serialize: <traceback object at 0x7efdf8fcb140>>, 'text': 'insert or update on table "website_result" violates foreign key constraint "website_result_dump_id_e0d4660f_fk_website_dump_id"\nDETAIL: Key (dump_id)=(5) is not present in table "website_dump".\n', 'op': 'task-erred', 'start': 1592214784.9397027, 'stop': 1592214784.945018, 'thread': 139629080340224, 'key': 'unzip_then_run-f79d3136cecb2d2f1b6997f6894743fd'}
django | DEBUG 2020-06-15 09:53:04,951 client 58 139970993960704 Client receives message {'op': 'task-erred', 'key': 'unzip_then_run-f79d3136cecb2d2f1b6997f6894743fd', 'exception': IntegrityError('insert or update on table "website_result" violates foreign key constraint "website_result_dump_id_e0d4660f_fk_website_dump_id"\nDETAIL: Key (dump_id)=(5) is not present in table "website_dump".\n'), 'traceback': <traceback object at 0x7f4d9b311700>}
worker02_1 | DEBUG 2020-06-15 09:53:04,985 worker 54 140206128805696 future state: run_plugin-9e750d06fcdb69f72aaa729bb865c898 - RUNNING
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.