VolWeb 1.0.0-beta

VolWeb/settings.py

@@ -26,7 +26,6 @@
     'windows_engine.apps.WindowsEngineConfig',
     'dashboard.apps.DashboardConfig',
     'investigations.apps.InvestigationsConfig',
-    'iocs.apps.IocsConfig',
     'symbols.apps.SymbolsConfig',
     'django.contrib.admin',
     'django.contrib.auth',

VolWeb/urls.py

@@ -24,7 +24,6 @@
     path('login/', auth_views.LogoutView.as_view(template_name='dashboard/login.html'), name='logout'),
     path('', include('dashboard.urls')),
     path('investigations/', include('investigations.urls')),
-    path('iocs/', include('iocs.urls')),
     path('symbols/', include('symbols.urls')),
     path('win/', include('windows_engine.urls')),
     path('lin/', include('linux_engine.urls')),

dashboard/static/js/bs-init.js

@@ -49,14 +49,6 @@ if (document.getElementById('memcount')) {
         } else {
             console.error(countUp.error);
         }
-  }
-if (document.getElementById('indcount')) {
-        const countUp = new CountUp('indcount', document.getElementById("indcount").getAttribute("countToind"));
-        if (!countUp.error) {
-            countUp.start();
-        } else {
-            console.error(countUp.error);
-        }
   }
 
 	if (document.getElementById('symcount')) {

dashboard/static/js/linux.js

@@ -108,12 +108,27 @@ $("#searchTtyCheck").on("keyup", function() {
 
 
 function DisplayArtifacts(collapse, process, case_id) {
+  const span_loading = document.createElement("span"); 
+  span_loading.setAttribute('class','spinner-border spinner-border-sm');
+  span_loading.setAttribute('role','status');
+  $("#procmaps_btn").removeClass("d-none");
+  const procmaps_btn = document.getElementById("procmaps_btn"); 
+  procmaps_btn.textContent = "Click here to compute ProcMaps for PID " + process;
+  procmaps_btn.addEventListener('click', function (e) {
+    $("#processHandles").textContent = "";
+     procmaps_btn.textContent = "";
+     procmaps_btn.appendChild(span_loading);
+     ComputeProcMaps(process, case_id);
+  });
+
+
+
   if ($('#' + collapse).attr("aria-expanded") == "true") {
-    $('#Bash').addClass('d-none');
-    $('#Elfs').addClass('d-none');
-    $('#Lsof').addClass('d-none');
-    $('#PsAux').addClass('d-none');
-    $('#processMaps').addClass('d-none');
+    $('#Bash').empty();
+    $('#Elfs').empty();
+    $('#Lsof').empty();
+    $('#PsAux').empty();
+    $('#processMaps').empty();
 
     $('.spinner-review').removeClass("d-none");
     var url = $("#" + collapse).attr('data-url');
@@ -126,7 +141,6 @@ function DisplayArtifacts(collapse, process, case_id) {
             FillElfs(JSON.parse(response['artifacts']['Elfs']));
             FillLsof(JSON.parse(response['artifacts']['Lsof']));
             FillProcMaps(JSON.parse(response['artifacts']['ProcMaps']));
-
             $('#Bash').removeClass('d-none');
             $('#Elfs').removeClass('d-none');
             $('#Lsof').removeClass('d-none');
@@ -146,6 +160,25 @@ function DisplayArtifacts(collapse, process, case_id) {
   }
 }
 
+function ComputeProcMaps(process, case_id){
+   var url = $("#procmaps_btn").attr("data-url");
+  $.get(url, { 'case': case_id, 'pid': process }, // url
+  function (response, textStatus, jqXHR) {  // success callback
+    if (textStatus == "success") {
+      if (response['message'] == "success") {
+        FillProcMaps(JSON.parse(response['artifacts']['ProcMaps']));
+        $("#procmaps_btn").addClass("d-none");
+      }
+      if (response['message'] == "error") {
+        $('#proc-error-message').html("Something went wrong.");
+        $('.toast-proc-error').toast('show');
+      }
+    }
+  });
+
+}
+
+
 
 function FillPsAux(artifacts) {
   // Create the html elements for each line

dashboard/static/js/windows.js

@@ -105,7 +105,7 @@ function DisplayArtifacts(collapse, process, case_id) {
             FillNetStat(JSON.parse(response['artifacts']['NetStat']));
             FillNetScan(JSON.parse(response['artifacts']['NetScan']));
             FillSessions(JSON.parse(response['artifacts']['Sessions']));
-
+            FillHandles(JSON.parse(response['artifacts']['Handles']));
             $('#cmdline').removeClass('d-none');
             $('#processPriv').removeClass('d-none');
             $('#processEnv').removeClass('d-none');

dashboard/templates/dashboard/base.html

@@ -57,11 +57,7 @@
                       {% endif %}
                       " href="{% url 'symbols' %}"><i class="fas fa-table"></i><span>Symbols</span></a></li>
 
-          <li class="nav-item"><a class="nav-link
-                      {% if request.get_full_path == '/iocs/'%}
-                      active
-                      {% endif %}
-                      " href="{% url 'iocs' %}"><i class="fas fa-fingerprint"></i><span>IOCs</span></a>
+          <li class="nav-item">
             <div class="nav-item dropdown no-arrow" style="width: 10px;"><a class="dropdown-toggle nav-link"
                 aria-expanded="false" data-bs-toggle="dropdown" href="#">&nbsp;<i class="fas fa-user"></i><span>{{user.get_username }}</span></a>
               <div class="dropdown-menu dropdown-menu-dark dropdown-menu-end animated--fade-in"><a class="dropdown-item"

dashboard/templates/dashboard/dashboard.html

@@ -15,7 +15,7 @@ <h6 class="text-primary fw-bold m-0" style="color: rgb(232,232,232);">Investigat
             </div>
         </div>
     </div>
-    <div class="row">
+    <div class="row justify-content-center">
         <div class="col-md-6 col-xl-3 mb-4">
             <div class="card shadow border-start-primary py-2" style="background: rgba(0,0,0,0.25);border-style: none;">
                 <div class="card-body" style="color: rgb(255,255,255);border-style: none;">
@@ -30,7 +30,7 @@ <h6 class="text-primary fw-bold m-0" style="color: rgb(232,232,232);">Investigat
                 </div>
             </div>
         </div>
-        <div class="col-md-6 col-xl-3 mb-4">
+        <div class="col-md-6 col-xl-3 mb-6">
             <div class="card shadow border-start-success py-2" style="background: rgba(0,0,0,0.25);border-style: none;">
                 <div class="card-body">
                     <div class="row align-items-center no-gutters">
@@ -43,20 +43,7 @@ <h6 class="text-primary fw-bold m-0" style="color: rgb(232,232,232);">Investigat
                 </div>
             </div>
         </div>
-        <div class="col-md-6 col-xl-3 mb-4">
-            <div class="card shadow border-start-success py-2" style="background: rgba(0,0,0,0.25);border-style: none;">
-                <div class="card-body">
-                    <div class="row align-items-center no-gutters">
-                        <div class="col me-2">
-                            <div class="text-uppercase text-success fw-bold text-xs mb-1"><span style="color: var(--bs-purple);">String based IOCs</span></div>
-                            <div class="text-white fw-bold h5 mb-0" id="indcount" countToind="{{iocs}}"></div>
-                        </div>
-                        <div class="col-auto"><i class="fas fa-fingerprint fa-2x text-gray-600"></i></div>
-                    </div>
-                </div>
-            </div>
-        </div>
-        <div class="col-md-6 col-xl-3 mb-4">
+        <div class="col-md-6 col-xl-3 mb-6">
             <div class="card shadow border-start-warning py-2" style="background: rgba(0,0,0,0.25);border-style: none;">
                 <div class="card-body">
                     <div class="row align-items-center no-gutters">

dashboard/views.py

@@ -1,13 +1,12 @@
 from django.shortcuts import render
 from django.contrib.auth.decorators import login_required
 from investigations.models import UploadInvestigation, Activity
-from iocs.models import IOC
 from symbols.models import Symbols
 from django.contrib.auth import get_user_model
 from django.core import serializers
 
 
-# Dashboard view : Return the dashboard with the latest IOCs and Investigations
+# Dashboard view : Return the dashboard with the latest Investigations
 @login_required
 def dashboard(request):
     """Load the dashboard
@@ -16,15 +15,14 @@ def dashboard(request):
         request : http request object
 
         Comments:
-        Display the dashboard and pass the users/activities/analysis/iocs
+        Display the dashboard and pass the users/activities/analysis/
         """
     User = get_user_model()
     activity = serializers.serialize("json", Activity.objects.all(), fields=("date", "count"))
     return render(request, 'dashboard/dashboard.html',
                   {
                       'Activity': activity, 'Users': User.objects.filter(is_superuser=False),
                       'investigations': UploadInvestigation.objects.all().count(),
-                      'iocs': IOC.objects.all().count(),
                       'symbols': Symbols.objects.all().count(),
                       'team': User.objects.all().count()
                   })

docker/docker-compose.yml

@@ -41,7 +41,6 @@ services:
       - ./nginx:/etc/nginx/conf.d
       - ./nginx/ssl/:/etc/nginx/certs/
       - staticfiles:/home/app/web/staticfiles
-      - ./nginx/log/:/var/log/nginx/
     depends_on:
       - web
 

docker/nginx/nginx.conf

@@ -37,7 +37,7 @@ server {
     ssl_session_cache shared:SSL:1m;
     ssl_session_timeout 10m;
     ssl_buffer_size 4k;
-    client_max_body_size 64G;
+    client_max_body_size 1G;
     location / {
         proxy_pass http://volweb;
         add_header Strict-Transport-Security "max-age=31536000";

investigations/tasks.py

@@ -1,5 +1,4 @@
 from investigations.models import *
-from iocs.models import IOC
 from investigations.celery import app
 from windows_engine.vol_windows import *
 from linux_engine.vol_linux import *

investigations/templates/investigations/investigations.html

@@ -75,7 +75,7 @@ <h4 style="color: var(--bs-white);"><i class="fas fa-briefcase"></i>&nbsp;Invest
 
             {% elif i.status == '4' %}
             <div class="col-2 text-center" style="color: var(--bs-body-bg);background: rgba(58,59,69,0);"><span
-                class="invest-header" style="color: var(--bs-orange);">Partial results</span></div>
+                class="invest-header" style="color: var(--bs-purple);">Partial results</span></div>
             {% elif i.status == '2' %}
             <div class="col-2 text-center" style="color: var(--bs-body-bg);background: rgba(58,59,69,0);"><span
                 class="invest-header" style="color: var(--bs-green);">Ready</span></div>

investigations/templates/investigations/linux/processes/maps.html

@@ -5,6 +5,10 @@
 Included in the "review_invest.html", this file represent the "Maps" tab.
 --->
 <div class="tab-pane fade" role="tabpanel" id="tab-4">
+  <div class="d-grid gap-2">
+    <button id="procmaps_btn" data-url="{% url 'get_procmaps' %}" type="button" class="mt-3 btn btn-info"></button>
+  </div>
+
   <div class="col mt-2 align-items-center no-gutters d-flex justify-content-between">
     <input type="search" id="searchProcessMaps" class="search-bar form-control" placeholder="Look for something" style="color: var(--bs-gray-100);background: var(--bs-primary-rgb);">
   </div>

investigations/templates/investigations/review_invest.html

@@ -278,8 +278,6 @@ <h5 class="text-truncate" style="color: var(--bs-blue);">{{case.title}}</h5>
                 style="color: var(--bs-pink);"><i class="fa-solid fa-timeline"></i>&nbsp;Timeline</a></li>
             <li class="nav-item" role="presentation"><a class="nav-link" role="tab" data-bs-toggle="tab" href="#tab-16"
                 style="color: var(--bs-warning);"><i class="fas fa-file"></i>&nbsp;Files</a></li>
-            <li class="nav-item" role="presentation"><a class="nav-link" role="tab" data-bs-toggle="tab" href="#tab-18"
-                style="color: var(--bs-danger);"><i class="fas fa-fingerprint"></i>&nbsp;String based IOCs</a></li>
             <li class="nav-item" role="presentation"><a class="nav-link" role="tab" data-bs-toggle="tab" href="#tab-22"
                 style="color: var(--bs-info);"><i class="fas fa-file-contract"></i>&nbsp;Reporting</a></li>
 
@@ -440,7 +438,6 @@ <h5 class="text-truncate" style="color: var(--bs-blue);">{{case.title}}</h5>
             {% include "investigations/windows/registry/registry.html" %}
             {% include "investigations/windows/cryptography/cryptography.html" %}
             {% include "investigations/windows/timeline/timeline.html" %}
-            {% include "investigations/windows/iocs/iocs.html" %}
             {% include "investigations/windows/files/files.html" %}
             {% include "investigations/windows/report.html" %}
 

investigations/templates/investigations/windows/cryptography/cryptography.html

@@ -153,17 +153,17 @@ <h4 class="card-title">Skeleton Key Check</h4>
                         <button class="btn btn-link btn-sm dropdown-toggle" aria-expanded="false" data-bs-toggle="dropdown" type="button"><i class="fas fa-ellipsis-v text-gray-400"></i></button>
                           <div class="dropdown-menu shadow dropdown-menu-end animated--fade-in">
                               <p class="text-center dropdown-header">Tag as</p>
-                              <a class="dropdown-item" href="#" onclick="Tag(&quot;{% url 'win_tag'%}&quot;, 'SkeletonKeyCheck', {{process.id}}, 'Suspicious')">
+                              <a class="dropdown-item" href="#" onclick="Tag('SkeletonKeyCheck', {{process.id}}, 'Suspicious')">
                                   <strong class="badge bg-warning text-wrap text-warning">&nbsp;</strong>
                                 &nbsp;Suspicious
                               </a>
-                              <a class="dropdown-item" href="#" onclick="Tag(&quot;{% url 'win_tag'%}&quot;, 'SkeletonKeyCheck', {{process.id}}, 'Evidence')">
+                              <a class="dropdown-item" href="#" onclick="Tag('SkeletonKeyCheck', {{process.id}}, 'Evidence')">
                                 <strong class="badge bg-danger text-wrap text-danger">&nbsp;</strong>
                                 &nbsp;Evidence
                               </a>
                               <div class="dropdown-divider">
                               </div>
-                              <a class="dropdown-item" href="#" onclick="Tag(&quot;{% url 'win_tag'%}&quot;, 'SkeletonKeyCheck', {{process.id}}, 'Clear')">&nbsp;Clear tag</a>
+                              <a class="dropdown-item" href="#" onclick="Tag('SkeletonKeyCheck', {{process.id}}, 'Clear')">&nbsp;Clear tag</a>
                           </div>
                       </div>
                     </td>