Mig - Distributed In Addition To Existent Fourth Dimension Digital Forensics At The Speed Of The Cloud
MIG is Mozilla's platform for investigative surgery of remote endpoints.
Quick Start w/ Docker
You tin spin upwards a local-only MIG setup using docker. The container is non suitable for production purpose but lets you lot experiment amongst MIG quickly, providing a unmarried container environs that has virtually of the MIG components available.
To describe from Docker Hub:
$ docker describe mozilla/mig $ docker run -it mozilla/mig
$ cd $GOPATH/src/github.com/mozilla/mig $ docker construct -t mozilla/mig:latest . $ docker run -it mozilla/mig
mig@5345268590c8: $ /go/bin/mig file -t all -path /usr/bin -sha2 5c1956eba492b2c3fffd8d3e43324b5c477c22727385be226119f7ffc24aad3f 1 agents volition live targeted. ctrl+c to cancel. launching inward five iv three 2 1 GO Following activity ID 7978299359234. 1 / 1 [=========================================================] 100.00% 0/s4s 100.0% done inward 3.029105958s 1 sent, 1 done, 1 succeeded ed11f485244a /usr/bin/wget [lastmodified:2016-07-05 15:32:42 +0000 UTC, mode:-rwxr-xr-x, size:419080] inward search 's1' 1 agent has constitute results
What is this?
MIG is composed of agents installed on all systems of an infrastructure that are live queried inward real-time to investigate the file-systems, network state, retentivity or configuration of endpoints.
Capability | Linux | MacOS | Windows |
---|---|---|---|
file inspection | yes | yes | yes |
network inspection | yes | yes | (partial) |
memory inspection | yes | yes | yes |
vuln management | yes | (planned) | (planned) |
log analysis | (planned) | (planned) | (planned) |
system auditing | yes | (planned) | (planned) |
MIG tin help. The signature of the vulnerable PHP app (the md5 of a file, a regex, or only a filename) tin live searched for across all your systems using the
file
module. Similarly, IOCs such equally specific log entries, backdoor files amongst md5 too sha1/2/3 hashes, IP addresses from botnets or byte strings inward processes memories tin live investigated using MIG. Suddenly, your weekend is looking a lot better. And amongst only a few commands, thousands of systems volition live remotely investigated to verify that you're non at risk.MIG agents are designed to live lightweight, secure, too tardily to deploy too then you lot tin inquire your favorite sysadmins to add together it to a base of operations deployment without fearfulness of breaking the entire production network. All parameters are built into the agent at compile time, including the listing too ACLs of authorized investigators. Security is enforced using PGP keys, too fifty-fifty if MIG's servers are compromised, equally long equally our keys are rubber on your investigator's laptop, no i volition interruption into the agents.
MIG is designed to live fast, too asynchronous. It uses AMQP to distribute actions to endpoints, too relies on Go channels to forestall components from blocking. Running actions too commands are stored inward a Postgresql database too on disk cache, such that the reliability of the platform doesn't depend on long-running processes.
Speed is a potent requirement. Most actions volition solely accept a few hundreds milliseconds to run on agents. Larger ones, for illustration when looking for a hash inward a large directory, should run inward less than a infinitesimal or two. All inward all, an investigation commonly completes inward betwixt 10 too 300 seconds.
Privacy too safety are paramount. Agents never post raw information dorsum to the platform, but solely respond to questions instead. All actions are signed yesteryear GPG keys that are non stored inward the platform, hence preventing a compromise from taking over the entire infrastructure.
Technology
MIG is built inward Go too uses a REST API that receives signed JSON messages distributed to agents via RabbitMQ too stored inward a Postgres database.
It is:
- Massively Distributed way Fast.
- Simple to deploy too Cross-Platform.
- Secured using OpenPGP.
- Respectful of privacy yesteryear never retrieving raw information from endpoints.
MIG was of late presented at the SANS DFIR Summit inward Austin, Tx. You tin scout the recording below:
Discussion
Join #mig on irc.mozilla.org (use a spider web customer such equally mibbit).
Documentation
All documentation is available inward the 'doc' directory too on http://mig.mozilla.org .