Orochi - The Volatility Collaborative GUI
Orochi is an open source framework for collaborative forensic memory dump analysis. Using Orochi you and your collaborators can easily organize your memory dumps and analyze them all at the same time.
For people who prefer to install and try first and then read the guide:
git clone https://github.com/LDO-CERT/orochi.git
cd orochi
sudo docker-compose pull
sudo docker-compose up
Browse http://127.0.0.1:8000 and access with admin//admin
Using Docker-compose you can start multiple dockers and link them together.
Start cloning the repo and enter in the folder:
git clone https://github.com/LDO-CERT/orochi.git
cd orochi
In case you are running docker on Windows you can do wsl -d docker-desktop sysctl -w vm.max_map_count=262144
from PowerShell.
You need to set some useful variables that docker-compose will use for configure the environment
Here is a sample of .env\.local\.postgres
:
POSTGRES_HOST=postgres
POSTGRES_PORT=5432
POSTGRES_DB=orochi
POSTGRES_USER=debug
POSTGRES_PASSWORD=debug
Here is a sample of .env\.local\.django
:
USE_DOCKER=yes
IPYTHONDIR=/app/.ipython
REDIS_URL=redis://redis:6379/0
DASK_SCHEDULER_URL=tcp://scheduler:8786
By default ALLOWED_HOSTS
config permits access from everywhere. If needed you can change it from .envs\.local\.django
If needed you can increase or decrease Dask workers to be started. In order to do this you have to update the docker-compose.yml
file changing the number of replicas
in the deploy section of worker
service.
You can pull images with command:
docker-compose pull
Or build images with command:
docker-compose build
Now it's time to fire up the images!
docker-compose up
When finished - it takes a while - you can check the status of images:
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fdc1fa46c0d8 ghcr.io/ldo-cert/orochi_nginx:new "/docker-entrypoint.…" 21 hours ago Up 4 hours 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp orochi_nginx
db5b7f50ee5b ghcr.io/ldo-cert/orochi_worker:new "tini -g -- /usr/bin…" 21 hours ago Up 4 hours orochi-worker-1
5f334d521d04 ghcr.io/ldo-cert/orochi_worker:new "tini -g -- /usr/bin…" 21 hours ago Up 4 hours orochi-worker-2
3768f5fa73d3 ghcr.io/ldo-cert/orochi_django:new "/entrypoint /start" 21 hours ago Up 4 hours 8000/tcp orochi_django_wsgi
a3f79c5281cc ghcr.io/ldo-cert/orochi_django:new "/entrypoint daphne …" 21 hours ago Up 4 hours 9000/tcp orochi_django_asgi
6bb5d6107029 ghcr.io/ldo-cert/orochi_worker:new "tini -g -- /usr/bin…" 21 hours ago Up 4 hours 0.0.0.0:8786-8787->8786-8787/tcp, :::8786-8787->8786-8787/tcp orochi_scheduler
636c41f3fe9b postgres:16.3 "docker-entrypoint.s…" 22 hours ago Up 4 hours 0.0.0.0:5432->5432/tcp, :::5432->5432/tcp orochi_postgres
6d8d337667ad redis:7.4.0 "docker-entrypoint.s…" 22 hours ago Up 4 hours 0.0.0.0:6379->6379/tcp, :::6379->6379/tcp orochi_redis
596be665ef37 axllent/mailpit:latest "/mailpit" 22 hours ago Up 4 hours (healthy) 0.0.0.0:1025->1025/tcp, :::1025->1025/tcp, 0.0.0.0:8025->8025/tcp, :::8025->8025/tcp, 1110/tcp orochi_mailpit
![Orochi](docs/images/022_orochi_docker_schema.png)
Now some management commands in case you are upgrading:
docker-compose run --rm django python manage.py makemigrations
docker-compose run --rm django python manage.py migrate
docker-compose run --rm django python manage.py collectstatic
Sync Volatility plugins (*) in order to make them available to users:
docker-compose run --rm django python manage.py plugins_sync
Volatility Symbol Tables are available here and can be sync using this command (*):
docker-compose run --rm django python manage.py symbols_sync
(*) It is also possible to run plugins_sync and symbols_sync directly from the admin page in case new plugins or new symbols are available.
To create a normal user account, just go to Sign Up (http://127.0.0.1:8000) and fill out the form. Once you submit it, you'll see a "Verify Your E-mail Address" page. Go to your console to see a simulated email verification message. Copy the link into your browser. Now the user's email should be verified and ready to go.
In development, it is often nice to be able to see emails that are being sent from your application. For that reason local SMTP server Mailpit with a web interface is available as docker container.
Container mailpit will start automatically when you will run all docker containers.
Please check cookiecutter-django Docker documentation
for more details how to start all containers.
With Mailpit running, to view messages that are sent by your application, open your browser and go to http://127.0.0.1:8025
Other details in cookiecutter-django Docker documentation
Applications links:
Please see Users-Guide
Please see Admin-Guide
Please see API-Guide
Please see Deploy-to-Swarm
We are available on Gitter to help you and discuss about improvements.
If you want to contribute to orochi, be sure to review the contributing guidelines. This project adheres to orochi code of conduct. By participating, you are expected to uphold this code.
"Its eyes are like akakagachi, it has one body with eight heads and eight tails. Moreover on its body grows moss, and also chamaecyparis and cryptomerias. Its length extends over eight valleys and eight hills, and if one look at its belly, it is all constantly bloody and inflamed." Full story from wikipedia
Let's go cut tails and find your Kusanagi-no-Tsurugi!