Spaces:

CrypticallyRequie
/

cloud-forensics-agent-demo

Runtime error

App Files Files Community

cloud-forensics-agent-demo / app.py

CrypticallyRequie

Rename app (1).py to app.py

bba8a6d verified 8 months ago

raw

history blame contribute delete

16.1 kB

	import gradio as gr
	import os
	import json
	import datetime
	import pandas as pd
	import matplotlib.pyplot as plt
	import seaborn as sns
	import yaml
	import uuid
	import tempfile
	import shutil

	# Demo configuration
	DEMO_CASE_ID = f"DEMO-{uuid.uuid4().hex[:8]}"
	DEMO_OUTPUT_DIR = "demo_output"
	DEMO_EVIDENCE_DIR = os.path.join(DEMO_OUTPUT_DIR, "evidence")
	DEMO_ANALYSIS_DIR = os.path.join(DEMO_OUTPUT_DIR, "analysis")
	DEMO_REPORT_DIR = os.path.join(DEMO_OUTPUT_DIR, "reports")

	# Create directories if they don't exist
	os.makedirs(DEMO_EVIDENCE_DIR, exist_ok=True)
	os.makedirs(DEMO_ANALYSIS_DIR, exist_ok=True)
	os.makedirs(DEMO_REPORT_DIR, exist_ok=True)

	# Cloud provider connection functions
	def test_aws_connection(access_key, secret_key, region):
	"""Test connection to AWS"""
	try:
	import boto3
	session = boto3.Session(
	aws_access_key_id=access_key,
	aws_secret_access_key=secret_key,
	region_name=region
	)
	sts = session.client('sts')
	identity = sts.get_caller_identity()
	return True, f"Successfully connected to AWS as {identity['Arn']}"
	except Exception as e:
	return False, f"Failed to connect to AWS: {str(e)}"

	def test_azure_connection(tenant_id, client_id, client_secret):
	"""Test connection to Azure"""
	try:
	from azure.identity import ClientSecretCredential
	from azure.mgmt.resource import ResourceManagementClient

	credential = ClientSecretCredential(
	tenant_id=tenant_id,
	client_id=client_id,
	client_secret=client_secret
	)

	# Create a resource management client
	resource_client = ResourceManagementClient(credential, subscription_id)

	# List resource groups to test the connection
	resource_groups = list(resource_client.resource_groups.list())
	return True, f"Successfully connected to Azure. Found {len(resource_groups)} resource groups."
	except Exception as e:
	return False, f"Failed to connect to Azure: {str(e)}"

	def test_gcp_connection(service_account_json):
	"""Test connection to GCP"""
	try:
	import json
	from google.oauth2 import service_account
	from google.cloud import storage

	# Create a temporary file to store the service account JSON
	fd, path = tempfile.mkstemp()
	try:
	with os.fdopen(fd, 'w') as tmp:
	tmp.write(service_account_json)

	# Create credentials from the service account file
	credentials = service_account.Credentials.from_service_account_file(path)

	# Create a storage client to test the connection
	storage_client = storage.Client(credentials=credentials)

	# List buckets to test the connection
	buckets = list(storage_client.list_buckets())
	return True, f"Successfully connected to GCP. Found {len(buckets)} storage buckets."
	finally:
	os.remove(path)
	except Exception as e:
	return False, f"Failed to connect to GCP: {str(e)}"

	# Sample data for demonstration
	def generate_sample_data(case_info, cloud_provider, incident_type, use_real_data=False, credentials=None):
	"""Generate sample data for demonstration purposes or collect real data if credentials provided"""

	if use_real_data and credentials:
	# This would be where we implement real data collection using the provided credentials
	# For now, we'll return a message indicating this would use real data
	return {
	"timeline": [],
	"patterns": [],
	"anomalies": [],
	"files": {},
	"message": "In a production deployment, this would collect real data from your cloud provider."
	}

	# Create sample timeline data
	timeline_data = []
	base_time = datetime.datetime.now() - datetime.timedelta(days=1)

	# Different events based on incident type
	if incident_type == "Unauthorized Access":
	events = [
	{"event": "Failed login attempt", "source": "Authentication Logs", "severity": "Low"},
	{"event": "Successful login from unusual IP", "source": "Authentication Logs", "severity": "Medium"},
	{"event": "User privilege escalation", "source": "IAM Logs", "severity": "High"},
	{"event": "Access to sensitive data", "source": "Data Access Logs", "severity": "High"},
	{"event": "Configuration change", "source": "Configuration Logs", "severity": "Medium"},
	{"event": "New API key created", "source": "IAM Logs", "severity": "High"},
	{"event": "Data download initiated", "source": "Data Access Logs", "severity": "Critical"},
	{"event": "Unusual network traffic", "source": "Network Logs", "severity": "Medium"}
	]
	elif incident_type == "Data Exfiltration":
	events = [
	{"event": "Large query executed", "source": "Database Logs", "severity": "Medium"},
	{"event": "Unusual data access pattern", "source": "Data Access Logs", "severity": "Medium"},
	{"event": "Large data transfer initiated", "source": "Network Logs", "severity": "High"},
	{"event": "Connection to unknown external endpoint", "source": "Network Logs", "severity": "High"},
	{"event": "Storage object permissions modified", "source": "Storage Logs", "severity": "Medium"},
	{"event": "Unusual user behavior", "source": "User Activity Logs", "severity": "Medium"},
	{"event": "Data archive created", "source": "Storage Logs", "severity": "Medium"},
	{"event": "Unusual egress traffic spike", "source": "Network Logs", "severity": "Critical"}
	]
	else: # Ransomware
	events = [
	{"event": "Unusual process execution", "source": "System Logs", "severity": "Medium"},
	{"event": "Multiple file modifications", "source": "File System Logs", "severity": "High"},
	{"event": "Encryption library loaded", "source": "System Logs", "severity": "High"},
	{"event": "Mass file type changes", "source": "Storage Logs", "severity": "Critical"},
	{"event": "Backup deletion attempt", "source": "Backup Logs", "severity": "Critical"},
	{"event": "Unusual IAM activity", "source": "IAM Logs", "severity": "Medium"},
	{"event": "Recovery service disabled", "source": "System Logs", "severity": "High"},
	{"event": "Ransom note created", "source": "File System Logs", "severity": "Critical"}
	]

	# Create timeline with timestamps
	for i, event in enumerate(events):
	event_time = base_time + datetime.timedelta(minutes=i*15)
	timeline_data.append({
	"timestamp": event_time.isoformat(),
	"event": event["event"],
	"source": event["source"],
	"cloud_provider": cloud_provider,
	"severity": event["severity"],
	"case_id": case_info["case_id"]
	})

	# Create patterns data
	patterns = []
	if incident_type == "Unauthorized Access":
	patterns = [
	{"pattern": "Brute Force Login Attempt", "confidence": 0.85, "matched_events": 3},
	{"pattern": "Privilege Escalation", "confidence": 0.92, "matched_events": 2}
	]
	elif incident_type == "Data Exfiltration":
	patterns = [
	{"pattern": "Data Staging Activity", "confidence": 0.88, "matched_events": 3},
	{"pattern": "Exfiltration Over Alternative Protocol", "confidence": 0.76, "matched_events": 2}
	]
	else: # Ransomware
	patterns = [
	{"pattern": "Mass File Encryption", "confidence": 0.94, "matched_events": 4},
	{"pattern": "Defense Evasion", "confidence": 0.81, "matched_events": 3}
	]

	# Create anomalies data
	anomalies = []
	if incident_type == "Unauthorized Access":
	anomalies = [
	{"anomaly": "Login from unusual location", "deviation": 3.6, "severity": "High"},
	{"anomaly": "Off-hours access", "deviation": 2.8, "severity": "Medium"}
	]
	elif incident_type == "Data Exfiltration":
	anomalies = [
	{"anomaly": "Unusual data access volume", "deviation": 4.2, "severity": "High"},
	{"anomaly": "Abnormal query pattern", "deviation": 3.1, "severity": "Medium"}
	]
	else: # Ransomware
	anomalies = [
	{"anomaly": "Unusual file system activity", "deviation": 4.7, "severity": "Critical"},
	{"anomaly": "Suspicious process behavior", "deviation": 3.9, "severity": "High"}
	]

	# Save data to files
	timeline_file = os.path.join(DEMO_EVIDENCE_DIR, f"{DEMO_CASE_ID}_timeline.json")
	patterns_file = os.path.join(DEMO_ANALYSIS_DIR, f"{DEMO_CASE_ID}_patterns.json")
	anomalies_file = os.path.join(DEMO_ANALYSIS_DIR, f"{DEMO_CASE_ID}_anomalies.json")

	with open(timeline_file, 'w') as f:
	json.dump(timeline_data, f, indent=2)

	with open(patterns_file, 'w') as f:
	json.dump(patterns, f, indent=2)

	with open(anomalies_file, 'w') as f:
	json.dump(anomalies, f, indent=2)

	return {
	"timeline": timeline_data,
	"patterns": patterns,
	"anomalies": anomalies,
	"files": {
	"timeline": timeline_file,
	"patterns": patterns_file,
	"anomalies": anomalies_file
	}
	}

	def analyze_evidence(data):
	"""Perform analysis on the evidence data"""

	# If there's no timeline data, return empty results
	if not data["timeline"]:
	return {
	"severity_counts": {},
	"source_counts": {},
	"charts": {
	"analysis": None,
	"timeline": None
	}
	}

	# Convert timeline to DataFrame for analysis
	timeline_df = pd.DataFrame(data["timeline"])
	timeline_df["timestamp"] = pd.to_datetime(timeline_df["timestamp"])

	# Sort by timestamp
	timeline_df = timeline_df.sort_values("timestamp")

	# Count events by severity
	severity_counts = timeline_df["severity"].value_counts()

	# Count events by source
	source_counts = timeline_df["source"].value_counts()

	# Create visualizations
	fig, (ax1, ax2) = plt.subplots(1, 2, figsize=(12, 5))

	# Severity pie chart
	ax1.pie(severity_counts, labels=severity_counts.index, autopct='%1.1f%%',
	colors=sns.color_palette("YlOrRd", len(severity_counts)))
	ax1.set_title("Events by Severity")

	# Source bar chart
	sns.barplot(x=source_counts.values, y=source_counts.index, ax=ax2, palette="viridis")
	ax2.set_title("Events by Source")
	ax2.set_xlabel("Count")

	# Save the figure
	chart_file = os.path.join(DEMO_ANALYSIS_DIR, f"{DEMO_CASE_ID}_analysis_charts.png")
	plt.tight_layout()
	plt.savefig(chart_file)
	plt.close()

	# Create a timeline visualization
	plt.figure(figsize=(12, 6))

	# Create a categorical y-axis based on source
	sources = timeline_df["source"].unique()
	source_map = {source: i for i, source in enumerate(sources)}
	timeline_df["source_num"] = timeline_df["source"].map(source_map)

	# Map severity to color
	severity_colors = {
	"Low": "green",
	"Medium": "blue",
	"High": "orange",
	"Critical": "red"
	}
	colors = timeline_df["severity"].map(severity_colors)

	# Plot the timeline
	plt.scatter(timeline_df["timestamp"], timeline_df["source_num"], c=colors, s=100)

	# Add event labels
	for i, row in timeline_df.iterrows():
	plt.text(row["timestamp"], row["source_num"], row["event"],
	fontsize=8, ha="right", va="bottom", rotation=25)

	plt.yticks(range(len(sources)), sources)
	plt.xlabel("Time")
	plt.ylabel("Event Source")
	plt.title("Incident Timeline")

	# Save the timeline
	timeline_chart = os.path.join(DEMO_ANALYSIS_DIR, f"{DEMO_CASE_ID}_timeline_chart.png")
	plt.tight_layout()
	plt.savefig(timeline_chart)
	plt.close()

	return {
	"severity_counts": severity_counts.to_dict(),
	"source_counts": source_counts.to_dict(),
	"charts": {
	"analysis": chart_file,
	"timeline": timeline_chart
	}
	}

	def generate_report(case_info, data, analysis, report_format):
	"""Generate a report based on the analysis"""

	# Create report content
	report = {
	"case_information": case_info,
	"executive_summary": f"This report presents the findings of a forensic investigation into a {case_info['incident_type']} incident in {case_info['cloud_provider']} cloud environment.",
	"timeline": data["timeline"],
	"patterns_detected": data["patterns"],
	"anomalies_detected": data["anomalies"],
	"analysis_results": {
	"severity_distribution": analysis.get("severity_counts", {}),
	"source_distribution": analysis.get("source_counts", {})
	},
	"recommendations": [
	"Implement multi-factor authentication for all privileged accounts",
	"Review and restrict IAM permissions following principle of least privilege",
	"Enable comprehensive logging across all cloud services",
	"Implement automated alerting for suspicious activities",
	"Conduct regular security assessments of cloud environments"
	]
	}

	# Save report in requested format
	if report_format == "JSON":
	report_file = os.path.join(DEMO_REPORT_DIR, f"{DEMO_CASE_ID}_report.json")
	with open(report_file, 'w') as f:
	json.dump(report, f, indent=2)
	else: # HTML
	# Create a simple HTML report
	html_content = f"""
	<!DOCTYPE html>
	<html>
	<head>
	<title>Forensic Analysis Report - {case_info['case_id']}</title>
	<style>
	body {{ font-family: Arial, sans-serif; margin: 40px; }}
	h1, h2, h3 {{ color: #2c3e50; }}
	.section {{ margin-bottom: 30px; }}
	.severity-high {{ color: #e74c3c; }}
	.severity-medium {{ color: #f39c12; }}
	.severity-low {{ color: #27ae60; }}
	table {{ border-collapse: collapse; width: 100%; }}
	th, td {{ border: 1px solid #ddd; padding: 8px; text-align: left; }}
	th {{ background-color: #f2f2f2; }}
	tr:nth-child(even) {{ background-color: #f9f9f9; }}
	.chart-container {{ display: flex; justify-content: center; margin: 20px 0; }}
	.chart {{ max-width: 100%; height: auto; margin: 10px; }}
	.message {{ background-color: #f8f9fa; padding: 15px; border-left: 5px solid #4e73df; margin-bottom: 20px; }}
	</style>
	</head>
	<body>
	<h1>Cloud Forensics Analysis Report</h1>

	<div class="section">
	<h2>Case Information</h2>
	<p><strong>Case ID:</strong> {case_info['case_id']}</p>
	<p><strong>Investigator:</strong> {case_info['investigator']}</p>
	<p><strong>Organization:</strong> {case_info['organization']}</p>
	<p><strong>Cloud Provider:</strong> {case_info['cloud_provider']}</p>
	<p><strong>Incident Type:</strong> {case_info['incident_type']}</p>
	<p><strong>Report Date:</strong> {datetime.datetime.now().strftime('%Y-%m-%d')}</p>
	</div>

	<div class="section">
	<h2>Executive Summary</h2>
	<p>{report['executive_summary']}</p>
	"""

	# Add message if using real data
	if "message" in data:
	html_content += f"""
	<div class="mes
	(Content truncated due to size limit. Use line ranges to read in chunks)