Volweb is a digital forensic memory analysis platform.
The goal of VolWeb is to improve the efficiency of memory forensics by providing a centralized, visual and enhanced platform for incident responders and digital forensics investigators.
VolWeb is based on volatility3, and this platform will evolve with the framework development.
This project is under active development, and this readme may or may not reflect the most up-to-date documentation.
Blog : https://www.forensicxlab.com/VolWeb.html
Volweb is still in development and will evolve quickly.
Update communications will be via twitter or by following this repo.
The platform is currently supporting the following features:
Features | Windows | Linux | MacOs |
---|---|---|---|
String IoC extraction | ✅ | ❌ | ❌ |
Process Tree | ✅ | ❌ | ❌ |
Process Graph | ✅ | ❌ | ❌ |
Process Scan | ✅ | ❌ | ❌ |
Process Dump | ✅ | ❌ | ❌ |
Process Env | ✅ | ❌ | ❌ |
Process Cmdline | ✅ | ❌ | ❌ |
Process Privileges | ✅ | ❌ | ❌ |
Network Scan | ✅ | ❌ | ❌ |
Network Stat | ✅ | ❌ | ❌ |
Network Graph | ✅ | ❌ | ❌ |
Hash Dump | ✅ | ❌ | ❌ |
Lsa/Cache Dump | ✅ | ❌ | ❌ |
Skeleton key check | ✅ | ❌ | ❌ |
Dll List | ✅ | ❌ | ❌ |
File scan | ✅ | ❌ | ❌ |
Timeline Explorer | ✅ | ❌ | ❌ |
Malware finder | ✅ | ❌ | ❌ |
Automatic Report Generation | ✅ | ❌ | ❌ |
Volweb is fully dockerized and can be deployed in a production environment. In order to deploy Volweb, you should follow these steps:
Download the latest release: https://github.com/k1nd0ne/VolWeb/releases
Then, navigate to the VolWeb directory and edit the ./docker/secret/volweb.env file and add the secret information to the following fields:
POSTGRES_USER=USER_HERE
POSTGRES_PASSWORD=PASSWORD_HERE
DJANGO_SECRET=SECRET_KEY_HERE
Next, add your ssl certificate into the nginx/ssl folder (generated via certbot or openssl for example):
openssl genrsa > ./VolWeb/docker/nginx/ssl/privkey.pem
openssl req -new -x509 -key ./VolWeb/docker/nginx/ssl/privkey.pem > ./VolWeb/docker/nginx/ssl/fullchain.pem
Don't forget to fill the different fields in the openssl certificate configuration. Make sure that the privkey and fullchain files respectively have the same name as the example above.
Finally, build the images and run the containers.
cd ./VolWeb/docker
docker-compose build
docker-compose up -d
The ngnix logs can be found in the /ngnix/log folder.
By default the admin and user accounts created will have the following credentials:
admin:password
user:password
You can create more analyst accounts via the Django administration panel -> https://[VOLWEB HOSTED IP]/admin.
The admin account cannot create analysis. Only use this account for analyst account creation and don't forget to change the passwords.
cd ./VolWeb/docker
docker-compose down --rmi all --volumes
If you have found an issue, please raise it. I am performing one sprint every month to fix discovered bugs. I am also performing whitebox pentests to improve the SecOps dimension.
Contact me at [email protected] for any questions regarding this tool.
The full documentation will be available soon.
To contribute to the project you'll need to make a pull-request on the dev branch.
To setup the dev environment follow these steps :
cd docker
docker-compose -f docker-compose-dev.yml up
Run migrations and launch the webservice.
python3 manage.py makemigrations
python3 manage.py migrate
python3 manage.py initadmin
python3 manage.py runserver
celery -A investigations worker --loglevel=INFO
Once your feature has been developed, update the settings to production and test your code with the production docker-compose.yaml Don't forget to clean the case directory.
- Visual confirmation of what to not look (legit process highlight integration)
- Recode MalConfScan for volatility3
- ISF Database.
- Add missing modules to the windows memory analysis.
- Mac OS support
- Linux support
- Import multiple IOC from a CSV
- Export IOCs to a CSV for qualification and integration to Threat Intelligence Platforms