Mozilla InvestiGator: Distributed and Real-Time Digital Forensics at the Speed of the Cloud

Mozilla InvestiGator (MIG) is a forensics framework built by the Operations Security team (OpSec) at Mozilla to rapidly investigate large pools of endpoints across the organization.

Mozilla operates thousands of servers that support Firefox and Firefox OS, and provide functionalities to more than 300 millions users. Systems are often heterogenous, are catered to the needs of particular services, and are hosted in various locations around the world.
A few years ago, the number of systems Mozilla operates outgrew the capabilities of existing forensics and endpoints security tools. The MIG project was started to provide OpSec with better visibility across the organization, and to remodel the traditional approach to forensics (manually retrieving and analyzing data from systems) that had become impractical in Mozilla’s heterogenous environments.

MIG is a distributed platform composed of agents deployed across Mozilla’s servers. The agents provide investigators with remote access to the file system, network and memory of endpoints. MIG is massively parallelized. It can run targeted searches on thousands of endpoints in as short as ten seconds, while allowing for larger scans that take hours to complete. The architecture of MIG is cross-platform and modular. Entirely written in Go, agents can run on Windows, MacOS and Linux. Capabilities can be added via modules that are compiled and shipped with the agents. During the talk, we will discuss how the use of Go simplifies the architecture of MIG, and helps build security tools with minimal cpu and memory footprint.

MIG belongs to the growing field of distributed digital forensics, akin to Google’s Rapid Response, Akamai’s Query and Facebook’s osquery. MIG takes an approach to investigation that does not rely on retrieving and storing large amounts of data from endpoints, but instead focuses on interrogating endpoints locally via distributed agents. By limiting the amount of data retrieving from endpoints, we reduce MIG’s operating cost, have a stronger respect for data confidentiality, and ensure that a platform breach would not expose terabytes of confidential forensics data to the world. Security is a first-class citizen in MIG. We guarantee access control by requiring investigators to sign all actions with their PGP keys. Agents verify signatures prior to running actions locally. MIG is built to withstand a takeover of its platform without compromising the security of Mozilla’s servers.

This talk will introduce MIG, the problems it solves, its design goals, capabilities, and security model. We will present its use on thousands of servers at Mozilla. The audience will learn how indicators of compromise can be searched across thousands of systems within seconds. During the talk, attendees will be given elements to install and operate MIG in their own environments. If permitted, the talk will include a live demo on Mozilla’s infrastructure.


Location: Track 2 Date: May 29, 2015 Time: 2:00 pm - 3:00 pm Julien Vehent Download Presentation Materials