VolWeb Documentation
This wiki describes the VolWeb application in order to:
- Help the sysadmin deploy the platform in a non-production environment.
- Help the sysadmin deploy the platform in a production environment.
- Assist an investigator or a developer in deploying a local version of the platform.
This documentation will evolve with the community's needs and contributions.
In this tutorial, the reader will learn, step by step, how the VolWeb platform can be deployed in a production environment.
To deploy VolWeb in your lab, you need to understand its different components. The image below provides a broad view of the technologies and protocols involved.
First, you will need the following requirements:
- Docker & docker-compose tool: https://docs.docker.com/compose/install/
- The latest release of VolWeb: https://github.com/k1nd0ne/VolWeb/releases
To deploy volweb in your test environment, the docker-compose.yaml file at the root of the project gives you nice start.
Copy the .env.example file to .env.If you are going to access the volweb instance via localhost, you don't have to change anything. But from the outside, edit theCSRF_TRUSTED_ORIGINS` environment variable and replace it with the IP/FQDN of the host machine that will be accessed by the clients.
Once this is done you are set! Just execute docker-compose up.
Navigate to http://localhost:3000
By default, the admin and user accounts created will have the following credentials:
admin:password
user:password
You can create more analyst accounts and change the passwords via the Django administration panel -> https://[VOLWEB HOSTED IP]/admin/ or by clicking on the username on the top right corner and "Administration" and use the above admin account to modify them.
First, you will need the following requirements:
- Docker & docker-compose tool: https://docs.docker.com/compose/install/
- The latest release of VolWeb: https://github.com/k1nd0ne/VolWeb/releases
To deploy VolWeb in a production environment, you will need a X509 certificates:
Here is an example of how to generate a self-signed certificate for VolWeb:
openssl genrsa > ./privkey.pem
openssl req -new -x509 -key ./privkey.pem > ./fullchain.pem
Caution
Set the FQDN/IP address of the VolWeb instance when signing your certificates. If you choose to use MINIO on a different server, ensure to sign the MinIO certificate for this server's FQDN/IP and change the env file accordingly. Ensure that the privkey and fullchain files respectively have the same names as the example above.
- Copy the certificates to
./VolWeb/nginx/ssl/privkey.pemand./VolWeb/nginx/ssl/fullchain.pem
Caution
If you are creating self-signed certificates, ensure it is trusted by your browser. It is recommended to generate certificates using a trusted CA.
To deploy volweb in your test environment, the docker-compose-prod.yaml file at the root of the project gives you nice start with an nginx service use for the TLS flow.
Copy the .env.example file to .env.Edit theCSRF_TRUSTED_ORIGINSenvironment variable and replace it withhttps://IP_or_FQDN` of the host machine that will be accessed by the clients.
Once this is done you are set! Just execute docker-compose -f docker-compose-pro.yaml up.
If you are using an FQDN for the VolWeb platform, be sure to edit the nginx configuration file in VolWeb/docker/nginx/nginx.conf
Navigate to https://fqdn-or-ip-of-volweb/
Caution
If you are using self sign certificates without adding them in your browser's trusted CA, navigate to https://fqdn-or-ip-of-volweb:9000 to accept the risks or else you won't be able to upload evidences from VolWeb.
By default, the admin and user accounts created will have the following credentials:
admin:password
user:password
You can create more analyst accounts and change the passwords via the Django administration panel -> https://[VOLWEB HOSTED IP]/admin/ and use the above admin account to modify them.
In this tutorial, the reader will learn, step by step, how the VolWeb platform can be deployed in production using AWS instead of MINIO as the storage solution
First, you will need the following requirements:
- An AWS or MINIO account with the possibility of creating buckets, an AWS client ID and KEY.
Using AWS with the VolWeb platform requires some requirements. After creating a case in the VolWeb UI you can upload any memory image via VolWeb-Scripts without trouble. However if you want to be able to bind memory images from the VolWeb platform, you will need to authorize CORS to the bucket ID linked to your evidence For this, navigate to your AWS or MINIO bucket authorizations via the Web Browser and add the following CORS policy:
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET",
"PUT",
"POST",
"DELETE",
"HEAD"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": [
"x-amz-server-side-encryption",
"x-amz-request-id",
"x-amz-id-2",
"ETag"
],
"MaxAgeSeconds": 3000
}
]This will allow the VolWeb platform to bind evidences that are located in your buckets.
To contribute:
- Make a proposition first by opening a discussion.
To set up the dev environment, follow these steps:
cd VolWeb/
docker-compose -f docker-compose-dev.yaml upIn a new terminal, set up a Python3 virtual env and install the dependencies
cd VolWeb/backend
python3 -m venv ./venv
source ./env.dev
source ./venv/bin/activate
pip3 install -r requirements.txtNext, apply all the migrations, initialize the default accounts, and launch the web server:
python3 manage.py makemigrations
python3 manage.py migrate
python3 manage.py initadmin
python3 manage.py runserver 8000In a new terminal, you will need to start a celery worker so the analysis tasks can be launched. (Make sure to also activate the venv).
cd VolWeb/backend
source ./venv/bin/activate
source .env.dev
celery -A backend worker --loglevel=INFOYou need to install nodejs with npm first
In a new terminal, you will need to install the frontend
cd VolWeb/frontend
npm install
npm run devOnce your feature has been developed, update the settings to production and test your code with the production docker-compose.yaml. VolWeb is in active development; your features may take time to be integrated depending on the roadmap.
The swagger is available at http://IP/FQDN/swagger/
Feel free to develop your own scripts and share them here: https://github.com/forensicxlab/VolWeb-Scripts
The following sections will help you use VolWeb and optimize the performance of the VolWeb platform.
Before uploading your memory image to the VolWeb platform, it's recommended to use a raw format in order to perform fewer translation operations.
Example: Consider converting a vmem image and the associated vmss to a raw image, then uploading the result to the VolWeb platform.
When an analysis is done, you can check the results produced by each plugin. Below is the meaning of each status:
- "Success": The plugin produced a result.
- "Unsatisfied requirement": There is usually a missing symbol requirement. Consider importing the correct ISF.
VolWeb is not meant to replace the Volatility3 CLI; indeed, some plugins are missing and will be integrated once we find the right visualization method for them. Volatility3 v2.5.2 CLI provides the ability to perform your analysis on the remote Min.IO bucket containing your evidence. Here is how you can still use the Volatility3 CLI with the VolWeb platform:
~» export AWS_ENDPOINT_URL="https://your-minio/volweb-instance:9000"
~» export AWS_ACCESS_KEY_ID=REDACTED
~» export AWS_SECRET_ACCESS_KEY=REDACTED
~» vol -f bucketID/Name_Of_The_Evidence.raw windows.pstreeNote
You can retrieve the evidence location by going to the MinIO instance or fetching the evidence metadata via the exposed VolWeb REST API. More info about the interaction with the REST API and example scripts here: https://github.com/forensicxlab/VolWeb-Scripts
If you need support deploying VolWeb in your lab, use the discussions to ask for help, propose new features, ... : https://github.com/k1nd0ne/VolWeb/discussions
If you are the administrator of VolWeb, use the admin panel located at https://volweb-uri/admin/. You will be able to create, modify, delete users. You'll also be able to flush evidences if needed. Some evidences might stall because of an unidenfied bug, you can delete them from the admin panel (they will be deleted automaticaly from the s3 bucket too).