Orochi User Guide
October 19, 2025 Β· View on GitHub
Version 2.4.1 β October 2025
Collaborative Memory Forensics and Threat Intelligence Platform
Table of Contents
- Quick Start
- Concepts
- Login
- Plugins
- Upload Dump
- Executing Plugins
- Task Monitoring (Dask)
- Searching
- Comparing Plugin Results
- Sharing Dumps
- Bookmarks
- Export to MISP
- Deleting Dumps
- YARA
- HEX Viewer
Quick Start
Get up and running with Orochi in minutes.
- Start the stack:
docker-compose up -d - Access the interface at https://localhost
- Register a new account via the Sign Up page.
- Confirm your email using Mailpit (
http://localhost:8025). - Upload your first memory dump.
- Run Volatility plugins and view results.
- (Optional) Export findings to MISP.
π‘ Tip: Use a color label when uploading dumps β it helps distinguish results when comparing multiple memory images.
Concepts
Orochi is an open-source, collaborative GUI built on Django for the Volatility 3 memory forensics framework.
It enables distributed, high-speed analysis of memory dumps and team-based investigation workflows.
Architecture Overview
- Django (WSGI) β Handles regular web requests and REST APIs.
- Django (ASGI) β Manages real-time WebSocket notifications and updates.
- Dask β Distributes workload across multiple worker nodes for concurrent plugin execution.
- Nginx β Serves as the reverse proxy and HTTPS frontend.
Orochi combines these components to offer a scalable and responsive analysis environment.
Login
Access the Orochi GUI via Nginx. If youβre running Docker locally, open:
π https://localhost
- Go to the Sign Up page to create a new user.
- Confirm your email via Mailpit (
http://localhost:8025). - Log in with your new credentials.

π§© Troubleshooting: If you donβt receive the confirmation email, open Mailpit directly and check the inbox.
Plugins
Plugins are Volatility 3 modules that Orochi executes to extract forensic artifacts such as process lists, DLLs, and network connections.
Each user can select which plugins run automatically after uploading a dump.
If none are selected, plugins can be executed manually later.

βοΈ Note: Orochi supports both built-in and custom Volatility plugins added by administrators.
Upload Dump
To upload a memory dump:
- Click the β button near DUMPS.
- Choose your file and set the name and operating system.
- (Optional) Select a color label to distinguish multiple dumps.
- Wait for the upload to finish, then click Create Index.

Supported Formats
- Raw (
.raw,.mem) and zipped (.zip) dumps - Password-protected ZIP files
- VMware snapshots (
.vmem+.vmss) in a single ZIP
Large memory dumps can also be placed manually in /media/uploads and selected via the Local folder dropdown or a management command.

After upload, press the βΉοΈ icon near the dump name to view details such as hash values, file size, and storage path.

Executing Plugins
After selecting a dump, a list of available plugins is displayed.
You can:
- β View results for auto-executed plugins.
- βΆοΈ Run a plugin manually.
- π Re-run a plugin with custom parameters (e.g.,
--dumpor--strings).
WebSocket notifications provide real-time updates on plugin execution status.

If a plugin fails, an error log icon will appear.

Task Monitoring (Dask)
Plugins run concurrently across Dask workers for fast parallel processing.
By default, the Docker Compose setup creates two workers locally. For production, connect remote workers to the same Dask scheduler.
To monitor tasks:
- Click the Admin icon in the navigation bar.
- Select Dask Status from the dropdown.

π‘ Tip: Use the dashboard to monitor job progress and worker performance.
Searching
Perform full-text searches through plugin results using the integrated DataTable view.
Search works across multiple dumps if more than one is selected.

π Tip: Use this to correlate artifacts across different memory captures.
Comparing Plugin Results
When two dumps are selected, choose a common plugin to compare their results side by side.
Colors help identify results per dump, and a JSON diff highlights differences.

Sharing Dumps
You can share dumps and their results between users.
- The uploader becomes the owner.
- Shared users can:
- View dumps and plugin results
- Run or re-run plugins
- β Cannot delete dumps
| Action | Owner | Shared User |
|---|---|---|
| View dump | β | β |
| Run plugin | β | β |
| Delete dump | β | β |

π€ Collaboration Tip: Shared dumps enable multi-user investigation on the same evidence set.
Bookmarks
Bookmarks let you quickly return to specific filtered results.
- While viewing a result, click the Bookmark icon.
- Assign a name, choose an icon (from MTG sets), and optionally star it for quick access.

Starred bookmarks appear in the quick-access menu. Non-starred ones are accessible under Bookmarks in the admin panel.
π‘ Tip: Bookmarks can reference queries across multiple dumps.
Export to MISP
Orochi integrates with MISP for exporting forensic data as structured intelligence.
You can export single items directly.

Result in MISP
Exported files and AV signatures appear as related MISP objects.

π Note: Ensure MISP API credentials are configured before exporting.
Deleting Dumps
Deleting a dump removes it and all associated plugin results permanently.

β οΈ Warning: This action cannot be undone.
YARA
Orochi provides a dedicated interface for managing YARA rules used by Volatility plugins.

You can:
- View rules imported and enabled by the admin.
- Perform full-text search through PostgreSQL integration.
- Build compiled YARA files for Volatility.
- Choose whether compiled files are private or public.

Example Workflow
- Search for rules containing βcredentialβ.
- Select relevant ones.
- Build a compiled YARA file.
- Run the Volatility
yaraplugin using that file.

π§ Tip: Only the compiled file marked default is used by the Volatility YARA plugin.
HEX Viewer
Orochi includes a remote HEX viewer for browsing dumps directly in the browser.

You can:
- Browse through offsets.
- Jump to a specific address.
- Search for ASCII or hexadecimal values.
- View both hex and ASCII representations.
β‘ Performance Tip: Large dumps may take several seconds to load depending on size and system resources.
Version Information
- Application: Orochi v2.4.1
- Frameworks: Django, Dask, Volatility 3
- License: MIT
- Repository: https://github.com/LDO-CERT/orochi
Β© 2025 LDO-CERT β Collaborative Memory Forensics Platform