VolWeb is a digital forensic memory analysis platform that leverages the power of the Volatility 3 framework. It is dedicated to aiding in investigations and incident responses.
The goal of VolWeb is to enhance the efficiency of memory collection and forensic analysis by providing a centralized, visual, and enhanced web application for incident responders and digital forensics investigators. Once an investigator obtains a memory image from a Linux or Windows system (Mac coming soon), the evidence can be uploaded to VolWeb, which triggers automatic processing and extraction of artifacts using the power of the Volatility 3 framework.
By utilizing hybrid storage technologies, VolWeb also enables incident responders to directly upload memory images into the VolWeb platform from various locations using dedicated scripts interfaced with the platform and maintained by the community. Another goal is to allow users to compile technical information, such as Indicators, which can later be imported into modern CTI platforms like OpenCTI, thereby connecting your incident response and CTI teams after your investigation.
The project documentation is available on the Wiki. There, you will be able to deploy the tool in your investigation environment or lab.
Important
Take time to read the documentation in order to avoid common miss-configuration issues.
A quick disclaimer: VolWeb is meant to be use in conjunction with the volatility3 framework CLI, it offers a different way to review & investigate some of the results and will not do all of the deep dive analysis job for you.
Your evidences are uploaded to the VolWeb plateform and is using filesystem analyse by default for having the best performances. But you can also bind evidences from a cloud storage solution (AWS/MINIO) and bind them to your cases in order to perform the analysis directly on the cloud.
The investigate feature is one of the core feature of VolWeb. It provides an overview of the available artefacts that were retrived by the custom volatiltiy3 engine in the backend. If available, you can visualize the process tree and get basic information about each process, dump them etc... You also get a enhanced view of all of the plugins results by categories.
« Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win. »
The explore feature comes with VolWeb 3.0 for Windows investigations (coming soon for Linux). It enable the memory forensics expert to investigate potential suspicious processes in a graph view allowing another way to look at the data, but also correlate the volatility3 plugins to get more context.
When the expert found malicious activies, VolWeb give you the possibility to create STIX V2 Indicators directly from the interface and centralize them in your case. Once your case is closed, you can generate you STIX bundle and share your Indicators with your community using CTI Platforms like MISP or OpenCTI.
VolWeb exposes a REST API to allow analysts to interact with the platform. A swagger is available on the platform in oder to get the full documentation. There is a dedicated repository proposing some scripts maintained by the community: https://github.com/forensicxlab/VolWeb-Scripts .
VolWeb is using django in the backend. Manage your user and database directly from the admin panel.
If you have encountered a bug, or wish to propose a feature, please feel free to create a discussion to enable us to quickly address them. Please provide logs to any issues you are facing.
VolWeb is open to contributions. Follow the contributing guideline in the documentation to propose features.
Contact me at k1nd0ne@mail.com for any questions regarding this tool.
Check out the roadmap
Check out the discussions
