- Table of Contents
- Concepts
- Login
- Plugins
- Upload Dump
- Executing Plugins
- Searching
- Comparing plugin results
- Sharing Dumps
- Bookmarks
- Export to MISP
- Deleting Dumps
- YARA
- HEX Viewer
- OROCHI Stats
Orochi is built on django framework and provides a collaborative GUI to Volatility framework. Orochi uses DASK to distribute loads between different machines.
The GUI is available on port 8000, so if you are running dockers locally: http://127.0.0.1:8000
Use sign-up page to register your user and confirm email address through MailHog platform.
Each user can choose which plugins will be executed automatically after uploading a memory dump. If none is selected, user will be able to choose and run any plugin after upload memory dump.
To upload a memory dump just click + button near DUMPS, choose file, set name and operative system about dump. Wait until dump is loaded and then press create index. It is possible to choose the color in order to easily distinguish multiple dumps.
To speed up the upload, both raw and zipped dumps are supported. Password protected zip files are supported as well.
VmWare Snapshots are also supported, when needed both vmem and vmss, just upload zip file containing both.
Large memory dumps can be placed manually in /media/uploads folder and then loaded in he system through API
or also via management command
When upload is completed it is possible to view the details of dump by pressing "i" button close to the memory dump name.
Useful data shown of the uploaded file are md5, sha256, size, filepath where it is stored and the index name in ElasticSearch.
A list of plugins will be shown after selecting the dump, then it is possible to selecting single plugin and:
- see the result of plugin if it was set to be run automatically
- run the plugin if it was not set to be run automatically
- re-run the plugin if need to pass some additional parameter (like dump flag, or string file)
A websocket is used to send notifications about plugins execution status
If the plugin ends with an error, a log button will be shown with the relative error.
Plugins will run simultaneously on Dask workers. By default docker-compose will create for you 2 different worker on the same machine, just to show how to scale. In case you have different machines, you can run workers there and connect to scheduler on main machine.
It is possible to perform a full text search through plugin result thanks to DataTable. The search works also through multiple dumps, if selected.
When 2 dumps are selected it is possible to chose a plugin (that was run on both dumps) and visualize simultaneously the results. In this case the color chosen during upload of dump is useful to identify different dumps. There is also a function that performs json diff.
It is possible to share dumps and results between users. This function is present under edit dump. User that uploads the dump is the owner of dump; when dump is shared, other user can see dump, see plugin results, run/rerun plugins, but cannot delete dump.
It is possible to bookmark the result of current view, so when find something interesting you can filter out and then add to bookmarks
After press the bookmark button it is possible to set a name for the bookmark, choose an icon picked from MTG sets and star it if want this bookmark appear in starred menu.
Then is possible go to bookmarks from admin button and if bookmark is starred it is shown directly in the menu.
Otherwise opening bookmark the menu will show all bookmarks. The bookmark can be a query against multiple dumps.
It is possible to export single items to MISP.
A preview window will be shown.
This is the result in MISP: files and AV signatures will be created as objects connected with a relation.
Deleting dump function will delete dump and all results of plugins.
Orochi provides a dedicated section to manage YARA rules that Volatility plugin will use.
Through this page is possible to view all rules previously imported and enabled by admin
At this page user can search for rules and build the custom yara compiled file to be passed to Volatility yara plugin.
Thanks to ElasticSearch the fulltext search inside yara rules files is supported.
The user created the yara file can choose if keep it private or make public and available also for other users. Is it possible to have different yara compiled files, the only one set as default will be used by Volatility yara plugin.
At this point it will be possible to use the Volatility yara plugin and view the results.
OROCHI support remote HEX View of dumps. It is possible to browse the memory dump by pressing "*" button close to the memory dump.
At this point in the page will appear the HEX Viewer that shows the memory address, the hex values and the ascii values. It is possible browse manually the entire dump, go to a specific offset anb also search for a specific text.
Thanks to Kibana it is possible create some dashboard to show stats about dumps,plugins, etc.
