Chainsaw GUI is a Rust-based graphical user interface for the Chainsaw CLI tool. Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows forensic artefacts such as Event Logs and the MFT file. The GUI allows users to load multiple CSV files generated by Chainsaw, aggregate the events, and visualize correlations among the events.
- Load multiple CSV files generated by Chainsaw.
- Aggregate and visualize event correlations.
- Display events and their correlations in a user-friendly graphical interface.
-
Clone the repository:
git clone https://github.com/yourusername/chainsaw-gui.git cd chainsaw-gui -
Build the project:
Ensure you have Rust and Cargo installed. You can install Rust using rustup.
cargo build --release
-
Run the application:
cargo run --release
-
Start the Application:
cargo run --release
-
Load CSV Files:
- Enter the paths to your CSV files in the "CSV File Paths" field, separated by commas.
- Click "Load CSVs" to load and aggregate the events from all specified files.
-
Visualize Correlations:
- The events will be displayed in the GUI.
- Correlations among the events will be visualized in a DOT format graph.
Here are some example CSV file formats that can be loaded into the GUI:
timestamp,detections,path,Event ID,Record ID,Computer,User,User SID,Member SID
2024-05-08T13:37:40.212866+00:00,User Added to Local Group,.\Logs\Security.evtx,4732,27,WIN-TE9IBT94OK1,IIS_IUSRS,,S-1-5-17
2024-05-08T13:37:40.214274+00:00,User Added to Global Group,.\Logs\Security.evtx,4728,32,WIN-TE9IBT94OK1,Aucun,,S-1-5-21-3302358702-4196171199-1625754011-504
timestamp,detections,path,Event ID,Channel,Computer,Information
2024-05-08T13:40:34.610299+00:00,User Profile Disk - Registry file loaded,.\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx,5,Microsoft-Windows-User Profile Service/Operational,DESKTOP-289L8K5,C:\Users\John Doe\ntuser.dat
2024-05-08T13:40:34.661988+00:00,User Profile Disk - Registry file loaded,.\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx,5,Microsoft-Windows-User Profile Service/Operational,DESKTOP-289L8K5,C:\Users\John Doe\AppData\Local\Microsoft\Windows\\UsrClass.dat
timestamp,detections,path,Event ID,Record ID,Computer,Service Name,Service File Name,Service Type,Service Start Type,Service Account
2024-05-08T13:37:50.758714+00:00,Suspicious Paths Service Installation,.\Logs\System.evtx,7045,52,WIN-TE9IBT94OK1,Intel(R) PRO/1000 PCI Express Network Connection Driver I,\SystemRoot\System32\drivers\e1i65x64.sys,pilote en mode noyau,Démarrage à la demande,
2024-05-08T13:37:50.868233+00:00,Suspicious Paths Service Installation,.\Logs\System.evtx,7045,53,WIN-TE9IBT94OK1,Périphérique Bluetooth (réseau personnel),\SystemRoot\System32\drivers\bthpan.sys,pilote en mode noyau,Démarrage à la demande,
- Thanks to WithSecureLabs for developing Chainsaw.