Version 2.4.1 — October 2025
Collaborative Memory Forensics and Threat Intelligence Platform
- Quick Start
- Concepts
- Login
- Plugins
- Upload Dump
- Executing Plugins
- Task Monitoring (Dask)
- Searching
- Comparing Plugin Results
- Sharing Dumps
- Bookmarks
- Export to MISP
- Deleting Dumps
- YARA
- HEX Viewer
Get up and running with Orochi in minutes.
- Start the stack:
docker-compose up -d
- Access the interface at https://localhost
- Register a new account via the Sign Up page.
- Confirm your email using Mailpit (
http://localhost:8025). - Upload your first memory dump.
- Run Volatility plugins and view results.
- (Optional) Export findings to MISP.
💡 Tip: Use a color label when uploading dumps — it helps distinguish results when comparing multiple memory images.
Orochi is an open-source, collaborative GUI built on Django for the Volatility 3 memory forensics framework.
It enables distributed, high-speed analysis of memory dumps and team-based investigation workflows.
- Django (WSGI) – Handles regular web requests and REST APIs.
- Django (ASGI) – Manages real-time WebSocket notifications and updates.
- Dask – Distributes workload across multiple worker nodes for concurrent plugin execution.
- Nginx – Serves as the reverse proxy and HTTPS frontend.
Orochi combines these components to offer a scalable and responsive analysis environment.
Access the Orochi GUI via Nginx. If you’re running Docker locally, open:
- Go to the Sign Up page to create a new user.
- Confirm your email via Mailpit (
http://localhost:8025). - Log in with your new credentials.
🧩 Troubleshooting: If you don’t receive the confirmation email, open Mailpit directly and check the inbox.
Plugins are Volatility 3 modules that Orochi executes to extract forensic artifacts such as process lists, DLLs, and network connections.
Each user can select which plugins run automatically after uploading a dump.
If none are selected, plugins can be executed manually later.
⚙️ Note: Orochi supports both built-in and custom Volatility plugins added by administrators.
To upload a memory dump:
- Click the ➕ button near DUMPS.
- Choose your file and set the name and operating system.
- (Optional) Select a color label to distinguish multiple dumps.
- Wait for the upload to finish, then click Create Index.
- Raw (
.raw,.mem) and zipped (.zip) dumps - Password-protected ZIP files
- VMware snapshots (
.vmem+.vmss) in a single ZIP
Large memory dumps can also be placed manually in /media/uploads and selected via the Local folder dropdown or a management command.
After upload, press the ℹ️ icon near the dump name to view details such as hash values, file size, and storage path.
After selecting a dump, a list of available plugins is displayed.
You can:
- ✅ View results for auto-executed plugins.
▶️ Run a plugin manually.- 🔁 Re-run a plugin with custom parameters (e.g.,
--dumpor--strings).
WebSocket notifications provide real-time updates on plugin execution status.
If a plugin fails, an error log icon will appear.
Plugins run concurrently across Dask workers for fast parallel processing.
By default, the Docker Compose setup creates two workers locally. For production, connect remote workers to the same Dask scheduler.
To monitor tasks:
- Click the Admin icon in the navigation bar.
- Select Dask Status from the dropdown.
💡 Tip: Use the dashboard to monitor job progress and worker performance.
Perform full-text searches through plugin results using the integrated DataTable view.
Search works across multiple dumps if more than one is selected.
🔍 Tip: Use this to correlate artifacts across different memory captures.
When two dumps are selected, choose a common plugin to compare their results side by side.
Colors help identify results per dump, and a JSON diff highlights differences.
You can share dumps and their results between users.
- The uploader becomes the owner.
- Shared users can:
- View dumps and plugin results
- Run or re-run plugins
- ❌ Cannot delete dumps
| Action | Owner | Shared User |
|---|---|---|
| View dump | ✅ | ✅ |
| Run plugin | ✅ | ✅ |
| Delete dump | ✅ | ❌ |
🤝 Collaboration Tip: Shared dumps enable multi-user investigation on the same evidence set.
Bookmarks let you quickly return to specific filtered results.
- While viewing a result, click the Bookmark icon.
- Assign a name, choose an icon (from MTG sets), and optionally star it for quick access.
Starred bookmarks appear in the quick-access menu. Non-starred ones are accessible under Bookmarks in the admin panel.
💡 Tip: Bookmarks can reference queries across multiple dumps.
Orochi integrates with MISP for exporting forensic data as structured intelligence.
You can export single items directly.
Exported files and AV signatures appear as related MISP objects.
🔗 Note: Ensure MISP API credentials are configured before exporting.
Deleting a dump removes it and all associated plugin results permanently.
⚠️ Warning: This action cannot be undone.
Orochi provides a dedicated interface for managing YARA rules used by Volatility plugins.
You can:
- View rules imported and enabled by the admin.
- Perform full-text search through PostgreSQL integration.
- Build compiled YARA files for Volatility.
- Choose whether compiled files are private or public.
- Search for rules containing “credential”.
- Select relevant ones.
- Build a compiled YARA file.
- Run the Volatility
yaraplugin using that file.
🧠 Tip: Only the compiled file marked default is used by the Volatility YARA plugin.
Orochi includes a remote HEX viewer for browsing dumps directly in the browser.
You can:
- Browse through offsets.
- Jump to a specific address.
- Search for ASCII or hexadecimal values.
- View both hex and ASCII representations.
⚡ Performance Tip: Large dumps may take several seconds to load depending on size and system resources.
- Application: Orochi v2.4.1
- Frameworks: Django, Dask, Volatility 3
- License: MIT
- Repository: https://github.com/LDO-CERT/orochi
© 2025 LDO-CERT — Collaborative Memory Forensics Platform