add bodyfile support for timeliner

LDO-CERT · Aug 6, 2024 · d92cf5a · d92cf5a
1 parent 1323e48
commit d92cf5a
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 18 deletions.
diff --git a/compose/local/__init__.py b/compose/local/__init__.py
@@ -14,6 +14,13 @@
 
 import volatility3.framework.constants.linux
 import volatility3.framework.constants.windows
+from volatility3.framework.constants._version import (
+    PACKAGE_VERSION,
+    VERSION_MAJOR,
+    VERSION_MINOR,
+    VERSION_PATCH,
+    VERSION_SUFFIX,
+)
 
 PLUGINS_PATH = [
     os.path.abspath(os.path.join(os.path.dirname(__file__), "..", "..", "plugins")),
@@ -42,20 +49,6 @@
 BANG = "!"
 """Constant used to delimit table names from type names when referring to a symbol"""
 
-# We use the SemVer 2.0.0 versioning scheme
-VERSION_MAJOR = 2  # Number of releases of the library with a breaking change
-VERSION_MINOR = 7  # Number of changes that only add to the interface
-VERSION_PATCH = 1  # Number of changes that do not change the interface
-VERSION_SUFFIX = ""
-
-# TODO: At version 2.0.0, remove the symbol_shift feature
-
-PACKAGE_VERSION = (
-    ".".join([str(x) for x in [VERSION_MAJOR, VERSION_MINOR, VERSION_PATCH]])
-    + VERSION_SUFFIX
-)
-"""The canonical version of the volatility3 package"""
-
 AUTOMAGIC_CONFIG_PATH = "automagic"
 """The root section within the context configuration for automagic values"""
 

diff --git a/compose/local/dask/Dockerfile b/compose/local/dask/Dockerfile
@@ -27,7 +27,7 @@ RUN freshclam
 # Workers should have similar reqs as django
 WORKDIR /
 COPY ./requirements /requirements
-RUN pip install uv==0.2.31 -e git+https://github.com/dadokkio/volatility3.git@dc8dc9b078d42e41698ff93f2e65c5ee99aa2172#egg=volatility3 \
+RUN pip install uv==0.2.31 -e git+https://github.com/dadokkio/volatility3.git@f740146f692ba288f376a939b24b1c1a8f7cf5e2#egg=volatility3 \
   && uv pip install --no-cache --system -r /requirements/base.txt
 
 COPY ./compose/local/dask/prepare.sh /usr/bin/prepare.sh

diff --git a/compose/local/django/Dockerfile b/compose/local/django/Dockerfile
@@ -45,7 +45,7 @@ RUN /usr/local/go/bin/go build
 FROM common-base
 WORKDIR /
 COPY ./requirements /requirements
-RUN pip install uv==0.2.31 -e git+https://github.com/dadokkio/volatility3.git@dc8dc9b078d42e41698ff93f2e65c5ee99aa2172#egg=volatility3 \
+RUN pip install uv==0.2.31 -e git+https://github.com/dadokkio/volatility3.git@f740146f692ba288f376a939b24b1c1a8f7cf5e2#egg=volatility3 \
   && uv pip install --no-cache --system -r /requirements/base.txt
 
 COPY ./compose/local/__init__.py /src/volatility3/volatility3/framework/constants/__init__.py

diff --git a/orochi/templates/website/partial_note.html b/orochi/templates/website/partial_note.html
@@ -13,6 +13,11 @@ <h1 class="h4">
         <i class="fas fa-sync" title="Rerun"></i> Rerun
     </button>
     {% endif %}
+    {% if bodyfile %}
+    <a href="#" class="download_obj btn btn-primary btn-sm" data-path="{{bodyfile}}" title="Bodyfile">
+        <i class="fas fa-file-download"></i> BodyFile
+    </a>
+    {% endif %}
 </h1>
 <div id="selected_alert" class="row row-cols-auto gy-2">
     {% for item in note %}
@@ -50,9 +55,9 @@ <h1 class="h4">
 
             {% if item.description %}
              btn-log" data-log="{{item.description}}">{{item.result}} <i class="fas fa-indent" title="Log"></i>
-            {% else %}
+                {% else %}
                 ">{{item.result}}
-            {% endif %}
+                {% endif %}
             </span>
         </button>
     </div>

diff --git a/orochi/utils/volatility_dask_elk.py b/orochi/utils/volatility_dask_elk.py
@@ -361,6 +361,13 @@ def run_plugin(dump_obj, plugin_obj, params=None, user_pk=None, regipy_plugins=F
         # LOCAL DUMPS REQUIRES FILES - Also regipy plugins
         local_dump = plugin_obj.local_dump or regipy_plugins
 
+        # Timeliner can create a body-file if required
+        if (
+            plugin_obj.name == "timeliner.Timeliner"
+            and params.get("create-bodyfile") == True
+        ):
+            local_dump = True
+
         # ADD PARAMETERS, AND IF LOCAL DUMP ENABLE ADD DUMP TRUE BY DEFAULT
         plugin_config_path = interfaces.configuration.path_join(
             base_config_path, plugin.__name__

diff --git a/orochi/website/views.py b/orochi/website/views.py
@@ -464,6 +464,17 @@ def analysis(request):
                 or os.path.exists("/maxmind/GeoLite2-City.mmdb")
                 or os.path.exists("/maxmind/GeoLite2-Country.mmdb")
             )
+
+            bodyfile_path = (
+                Path(res.dump.upload.path).parent
+                / "timeliner.Timeliner/volatility.body"
+            )
+            bodyfile = (
+                bodyfile_path
+                if plugin.name == "timeliner.Timeliner" and bodyfile_path.exists()
+                else None
+            )
+
             return render(
                 request,
                 "website/partial_analysis.html",
@@ -472,6 +483,7 @@ def analysis(request):
                     "columns": columns,
                     "plugin": plugin.name,
                     "maxmind": maxmind,
+                    "bodyfile": bodyfile,
                 },
             )