Distributed & real time digital forensics at the speed of the cloud
Перейти к файлу
Aaron Meihm 3aad9a413e [doc] note on configuring requisite manifest signatures 2016-05-17 16:06:34 -05:00
actions [doc] update integration_tests action 2016-05-09 13:39:55 -04:00
client [minor] return 201 created on manifest create 2016-05-17 16:06:34 -05:00
conf [medium] introduce periodic agent environment refresh 2016-04-18 23:04:50 -05:00
database [minor] show loader enabled status in search 2016-04-25 13:56:25 -05:00
doc [doc] note on configuring requisite manifest signatures 2016-05-17 16:06:34 -05:00
mig-agent [medium/bug] fix windows agent environment with wmic call instead of the long and translated systeminfo 2016-05-02 08:42:02 +02:00
mig-api [minor] return 201 created on manifest create 2016-05-17 16:06:34 -05:00
mig-loader [minor/bug] don't exit if file does not exist on rename 2016-04-29 16:20:22 -05:00
mig-runner [medium] move compression apply into client package 2016-01-22 14:14:17 -06:00
mig-scheduler [minor] fix a few comment typos for detectMultiAgents 2016-04-20 16:47:47 -05:00
modules [minor] type in file's buildResults 2016-05-09 12:56:43 -04:00
pgp [minor] update numeric HTTP status codes to use values from net/http 2016-04-20 16:47:47 -05:00
runner-plugins [medium] unify hashes under sha2/sha3, fixes #155 2016-01-14 16:42:06 +05:30
testutil [doc] add newline after license header to ignore it in godoc 2015-08-27 10:41:13 -04:00
tools [medium] introduce periodic agent environment refresh 2016-04-18 23:04:50 -05:00
vendor [minor] revendor service-go 2016-05-02 17:01:48 -05:00
workers [minor] Remove old worker code and update documentation 2015-12-29 17:25:09 -06:00
.gitignore [minor] updated gitignore 2015-09-09 13:01:59 -04:00
.travis.yml [minor] add a scribe test to travis 2016-01-22 15:39:31 -06:00
AUTHORS [doc] contributing guidelines 2015-08-23 12:12:55 -04:00
CONTRIBUTING.md [doc] small update to contributor guidelines 2015-10-09 05:19:03 -04:00
LICENSE [medium] Makefile support 2014-02-03 10:42:36 -05:00
Makefile [minor] fixes to agent/loader packaging, primarily for lintian errors 2016-04-18 21:59:28 -05:00
README.md [doc] standalone install instructions in README 2016-05-13 15:58:58 -04:00
acl.go [doc] add newline after license header to ignore it in godoc 2015-08-27 10:41:13 -04:00
action.go [medium] move compression apply into client package 2016-01-22 14:14:17 -06:00
agent.go [medium] introduce periodic agent environment refresh 2016-04-18 23:04:50 -05:00
command.go [doc] add newline after license header to ignore it in godoc 2015-08-27 10:41:13 -04:00
constants.go [medium/bug] terminate scheduler when heartbeat to relays fails, fixes #146 2015-11-05 08:14:00 -05:00
investigator.go [medium] add new administrator privilege for investigators 2016-03-24 17:08:14 -05:00
loader.go [minor] improve validation of loader key on read 2016-04-25 16:44:17 -05:00
logging_posix.go [minor] add log file rotation for file output mode 2016-04-18 21:59:28 -05:00
logging_windows.go [minor/bug] fix to build windows agent 2016-04-22 17:43:43 +02:00
manifest.go [medium] add loader to update manifest 2016-04-28 12:54:05 -05:00
runner.go [minor] initial commit of mig-runner 2015-09-15 14:40:26 -05:00
version.go [doc] update version.go 2016-04-29 11:46:55 -04:00

README.md

MIG: Mozilla InvestiGator

Build Status

Build one-liner:

$ go get mig.ninja/mig && cd $GOPATH/src/mig.ninja/mig && make

MIG is OpSec's platform for investigative surgery of remote endpoints.

MIG is composed of agents installed on all systems of an infrastructure that are be queried in real-time to investigate the file-systems, network state, memory or configuration of endpoints.

Capability Linux MacOS Windows
file inspection check check check
network inspection check check (partial)
memory inspection check check check
vuln management check (planned) (planned)
log analysis (planned) (planned) (planned)
system auditing (planned) (planned) (planned)

Imagine it is 7am on a saturday morning, and someone just released a critical vulnerability for your favorite PHP application. The vuln is already exploited and security groups are releasing indicators of compromise (IOCs). Your weekend isn't starting great, and the thought of manually inspecting thousands of systems isn't making it any better.

MIG can help. The signature of the vulnerable PHP app (the md5 of a file, a regex, or just a filename) can be searched for across all your systems using the file module. Similarly, IOCs such as specific log entries, backdoor files with md5 and sha1/2/3 hashes, IP addresses from botnets or byte strings in processes memories can be investigated using MIG. Suddenly, your weekend is looking a lot better. And with just a few commands, thousands of systems will be remotely investigated to verify that you're not at risk.

MIG command line demo

MIG agents are designed to be lightweight, secure, and easy to deploy so you can ask your favorite sysadmins to add it to a base deployment without fear of breaking the entire production network. All parameters are built into the agent at compile time, including the list and ACLs of authorized investigators. Security is enforced using PGP keys, and even if MIG's servers are compromised, as long as our keys are safe on your investigator's laptop, no one will break into the agents.

MIG is designed to be fast, and asynchronous. It uses AMQP to distribute actions to endpoints, and relies on Go channels to prevent components from blocking. Running actions and commands are stored in a Postgresql database and on disk cache, such that the reliability of the platform doesn't depend on long-running processes.

Speed is a strong requirement. Most actions will only take a few hundreds milliseconds to run on agents. Larger ones, for example when looking for a hash in a big directory, should run in less than a minute or two. All in all, an investigation usually completes in between 10 and 300 seconds.

Privacy and security are paramount. Agents never send raw data back to the platform, but only reply to questions instead. All actions are signed by GPG keys that are not stored in the platform, thus preventing a compromise from taking over the entire infrastructure.

Technology

MIG is built in Go and uses a REST API that receives signed JSON messages distributed to agents via RabbitMQ and stored in a Postgres database.

It is:

  • Massively Distributed means Fast.
  • Simple to deploy and Cross-Platform.
  • Secured using OpenPGP.
  • Respectful of privacy by never retrieving raw data from endpoints.

Check out this 10 minutes video for a more general presentation and a demo of the console interface.

MIG youtube video

MIG was recently presented at the SANS DFIR Summit in Austin, Tx. You can watch the recording below:

MIG @ DFIR Summit 2015

Discussion

Join #mig on irc.mozilla.org (use a web client such as mibbit ).

We also have a public mailing list at list@mig.ninja.

Documentation

All documentation is available in the 'doc' directory and on http://mig.mozilla.org .

Testing

Assuming you have a dedicated Ubuntu system (like a VM), you can use the standalone installation script to deploy a test environment rapidly.

$ sudo apt-get install golang git

# must be >= 1.5
$ go version
go version go1.6.1 linux/amd64

$ export GOPATH=$HOME/go

$ mkdir $GOPATH

$ go get mig.ninja/mig

$ cd $GOPATH/src/mig.ninja/mig

$ bash tools/standalone_install.sh

This script will install all of the components MIG needs for a localhost only installation. Follow instructions at the end of the script to convert it to a real infrastructure, or read Installation & Configuration.