search

Esgr0bar / chainsaw-gui

Chainsaw GUI is a Rust-based graphical user interface for the Chainsaw CLI tool. Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows forensic artefacts
GNU General Public License v3.0
0 stars 0 forks source link

readme

Chainsaw GUI

Chainsaw GUI is a Rust-based graphical user interface for the Chainsaw CLI tool. Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows forensic artefacts such as Event Logs and the MFT file. The GUI allows users to load multiple CSV files generated by Chainsaw, aggregate the events, and visualize correlations among the events.

Features

Installation

  1. Clone the repository:

    git clone https://github.com/yourusername/chainsaw-gui.git
cd chainsaw-gui

  2. Build the project:

    Ensure you have Rust and Cargo installed. You can install Rust using rustup.

    cargo build --release

  3. Run the application:

    cargo run --release

Usage

  1. Start the Application:

    cargo run --release

  2. Load CSV Files:

    • Enter the paths to your CSV files in the "CSV File Paths" field, separated by commas.
    • Click "Load CSVs" to load and aggregate the events from all specified files.

  3. Visualize Correlations:

    • The events will be displayed in the GUI.
    • Correlations among the events will be visualized in a DOT format graph.

Example CSV Files

Here are some example CSV file formats that can be loaded into the GUI:

Example 1

timestamp,detections,path,Event ID,Record ID,Computer,User,User SID,Member SID
2024-05-08T13:37:40.212866+00:00,User Added to Local Group,.\Logs\Security.evtx,4732,27,WIN-TE9IBT94OK1,IIS_IUSRS,,S-1-5-17
2024-05-08T13:37:40.214274+00:00,User Added to Global Group,.\Logs\Security.evtx,4728,32,WIN-TE9IBT94OK1,Aucun,,S-1-5-21-3302358702-4196171199-1625754011-504

Example 2

timestamp,detections,path,Event ID,Channel,Computer,Information
2024-05-08T13:40:34.610299+00:00,User Profile Disk - Registry file loaded,.\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx,5,Microsoft-Windows-User Profile Service/Operational,DESKTOP-289L8K5,C:\Users\John Doe\ntuser.dat
2024-05-08T13:40:34.661988+00:00,User Profile Disk - Registry file loaded,.\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx,5,Microsoft-Windows-User Profile Service/Operational,DESKTOP-289L8K5,C:\Users\John Doe\AppData\Local\Microsoft\Windows\\UsrClass.dat

Example 3

timestamp,detections,path,Event ID,Record ID,Computer,Service Name,Service File Name,Service Type,Service Start Type,Service Account
2024-05-08T13:37:50.758714+00:00,Suspicious Paths Service Installation,.\Logs\System.evtx,7045,52,WIN-TE9IBT94OK1,Intel(R) PRO/1000 PCI Express Network Connection Driver I,\SystemRoot\System32\drivers\e1i65x64.sys,pilote en mode noyau,Démarrage à la demande,
2024-05-08T13:37:50.868233+00:00,Suspicious Paths Service Installation,.\Logs\System.evtx,7045,53,WIN-TE9IBT94OK1,Périphérique Bluetooth (réseau personnel),\SystemRoot\System32\drivers\bthpan.sys,pilote en mode noyau,Démarrage à la demande,

Ackowledgements