I started building the data base several years ago using MS Access. Access is easy to set up (initially), portable, works almost anywhere. This is what I used for several years across several different companies. I stored basic analysis details, built a switchboard for searches, had a tabbed entry page for different details of analysis, etc.
But as the information I wanted to store became more complex (many to many relationships in Access is painful!) the interface and the query design started to breakdown.
I started thinking that I needed to design a real database, but balked at designing a front-end that would be usable without months (or years!) of design and programming - after all, this was a project done on my own time or while I was between projects at work.
Then, a co-worker asked if I had ever used django. Short answer was no, but I liked python and so looked into what django was and what it had to offer. Almost like an answer to all my database design needs - semi-automatic database implementation, built-in web front end, even the site title (The web framework for perfectionist with deadlines) seemed designed for exactly what I needed.
Now, we all know that nothing is that easy. But after working through the tutorials, and putting some thought into what the database should look like. I had a working model. Then came the hard part - customizing exactly what I wanted and changing looks and feels to make me happy.
The default django admin worked pretty well for the basic data entry pages:
And then I decided to get a little fancy and add in some graphs to show statistics about the malware world I had analyzed.
I also added details to turn this into a forensics case management tool -- details about machines, disk images, and memory images and the case (or engagement) that ties them all together:
This is (and probably always will be!) a work in progress. Now that I have the database semi-stable, I am working to add integration with automated tools like mastiff.py so I can pull the information from the mastiff database into my database instead of manually copying the data, plus reporting - easily pulling the information into something that I can turn into a nice report without too much editing. Of course, the report will only be as good as the data I put into the summary and analysis parts! But - with the django pieces in place - searching by any field is easy, showing statistical information is done, and best of all - it's an interface that some day I might be able to use across my team so we all put data into a central repository that can be used for quicker analysis in future projects.
