-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathabout.py
More file actions
85 lines (74 loc) · 6.05 KB
/
about.py
File metadata and controls
85 lines (74 loc) · 6.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
import subprocess
import os
import run
#from run import user_input
from colorama import Fore
def about_columbo():
dir_path = os.path.dirname(os.path.realpath(__file__))
print('\n')
print(Fore.YELLOW + 'What is Columbo?')
print('---------------')
print(Fore.WHITE + '\nColumbo is a computer forensic analysis tool used to simplify and identify specific patterns '
'in compromised datasets. It breaks down data to small sections and uses pattern recognition '
'and machine learning models to identify adversaries behaviour and their possible locations '
'in compromised Windows platforms in a form of suggestions. Currently Columbo operates on Windows platform\n')
print(Fore.YELLOW + 'Dependencies & High Level Architecture')
print('--------------------------------------')
print(Fore.WHITE + '\nColumbo depends on volatility3, autorunsc.exe and sigcheck.exe to extract data. '
'Therefore users must download these dependent tools (see License.txt) and place them under the' + r' Columbo\bin folder.'
'\nThe output (data) generated by these tools are automatically piped to Columbo main engine. It breaks it down to small sections, '
'pre-process it and applies machine learning models to classify the location of the compromise system, executable files and other behaviours.')
print(Fore.YELLOW + '\nOptions of Columbo?')
print('------------------')
print(Fore.YELLOW + '\nOption 2:' + Fore.WHITE + '\nLive analysis -files and process traceability. This option '
'analyses running Windows processes to identify running '
'malicious activities if any. Columbo uses autorunsc.exe to '
'extract the data from the machine, the outputs are piped to '
'Machine Learning models and pattern recognition engines to '
'classify suspicious activities. Later the outputs are saved under '
'<USER-PATH>\Columbo\ML\Step-2-results in a form of excel files '
'for further analysis. Furthermore, users are given options to '
'examine running processes. The result contains information such '
'as process traceability, commands that are associated with each '
'process -if applicable and whether or not, the processes are '
'responsible for executing new processes.')
print(Fore.YELLOW + '\nOption 3:' + Fore.WHITE + '\nScan and analyse Hard Disk Image File (.vhdx): This option '
'takes paths of mounted Hard Disk Image of Windows. It '
'uses sigcheck.exe to extract the data from the file systems. Then '
'the results are piped into Machine Learning models to classify '
'suspicious activities. Further the outputs are saved under '
'<USER-PATH>\Columbo\ML\Step-3-results in a form of excel '
'files.')
print(
Fore.YELLOW + '\nOption 4:' + Fore.WHITE + '\nMemory Forensics. In this option, Columbo takes the path of the '
'memory image and following options are produced for users to '
'select.\n\n' + Fore.GREEN + 'a) Memory Information:' + Fore.WHITE + ' Volatility 3 is used to '
'extract information about the image.\n\n' + Fore.GREEN + 'b) Processes Scan: ' + Fore.WHITE +
'Volatility 3 is used to extract process, dll and handle '
'information of each process. Then, Columbo uses grouping and '
'clustering mechanisms to group each process according to their '
'mother processes. This option is later used by the process '
'traceability under Anomaly Detection option.\n\n' + Fore.GREEN + 'c) process Tree: ' + Fore.WHITE +
'Volatility 3 is used to extract process tree of the '
'processes.\n\n' + Fore.GREEN + 'd) Anomaly Detection and Process Traceability: ' + Fore.WHITE +
'Volatility 3 is used to extract a list of Anomaly Detection '
'processes. However, Columbo gives an option called Process '
'Traceability to separately examine each process and '
'collectively produces the following information.\n\n'
'-> Paths of the executable files and associated commands.\n'
'-> Using Machine Learning models to determine the legitimacy of '
'the identified processes.\n'
'-> Trace each process all the way back to their root processes '
'(complete path) and their execution dates and time.\n'
'-> Identify if the process is responsible for executing other '
'processes i.e. is it going to be a mother process of new '
'processes or not.\n'
'-> It extracts, handles and dlls information of each process '
'and presents them with the rest of the information. '
'\n')
print(
Fore.YELLOW + 'However, all of the above steps in option 4 are automated.\n')
subprocess.Popen(['notepad.exe', dir_path + r'\license.txt'])
print(Fore.WHITE + '\n')
# print('\n')
return run.user_input()