Distributed & real time digital forensics at the speed of the cloud
Go Makefile Other
Latest commit 3f053d4 Sep 21, 2017 @ameihm0912 ameihm0912 committed on GitHub Merge pull request #403 from ameihm0912/readme-update
update README for audit changes
Failed to load latest commit information.
actions [minor] remove upgrade module and additional references to module Dec 21, 2016
client client: add missing comments to exported functions Sep 20, 2017
conf loader: load configuration from external configuration file Sep 12, 2017
database doc: update config guide Postgres section Sep 18, 2017
doc doc: include a reference to modulepack in the config guide Sep 19, 2017
mig-agent send tags and environment with persist module config Sep 20, 2017
mig-api mig-api: commandsToComplianceItems, make Tags a map Jul 25, 2017
mig-loader loader: support loading keyring from configuration directory Sep 12, 2017
mig-runner client: return proper errors from FindHomedir Sep 20, 2017
mig-scheduler [major] investigator API key authentication for API use Apr 11, 2017
modulepack modulepack: add audit and dispatch modules Sep 20, 2017
modules dispatch: rename Details to Event Sep 21, 2017
pgp [minor] update pgp getPINNaïve so stty -echo is successful Feb 3, 2017
runner-plugins runner-scribe: apply a v2bkey based on operator and team values Jul 27, 2017
service [minor] windows: pause in service Remove to confirm removal Apr 13, 2017
testutil [doc] add newline after license header to ignore it in godoc Aug 27, 2015
tools remove a couple unused scripts from tools Sep 19, 2017
vendor vendor aws-sdk-go Sep 20, 2017
workers remove agent-intel-worker Jul 25, 2017
.gitignore agent: add tests for acl configuration loads Sep 12, 2017
.travis.yml update travis script to use container build for test Sep 12, 2017
AUTHORS [doc] add Rob Murtha to AUTHORS file Dec 22, 2016
CONTRIBUTING.md update CONTRIBUTING.md, remove requirement to tag commits Jul 12, 2017
Dockerfile simplify standalone installation for docker image Sep 12, 2017
LICENSE [medium] Makefile support Feb 3, 2014
Makefile add audit and dispatch modules to test target Sep 20, 2017
README.md update README for audit changes Sep 21, 2017
acl.go [medium/bug] Prevent one investigator from signing multiple times Sep 25, 2016
action.go [minor/bug] in SignAction, remove temporary file Apr 25, 2017
agent.go in mig.Agent, declare Tags as a map for Agent type Jul 25, 2017
command.go [doc] add newline after license header to ignore it in godoc Aug 27, 2015
constants.go [medium/bug] terminate scheduler when heartbeat to relays fails, fixes Nov 5, 2015
investigator.go [major] investigator API key authentication for API use Apr 11, 2017
loader.go [major] investigator API key authentication for API use Apr 11, 2017
logging_posix.go [minor] add log file rotation for file output mode Apr 19, 2016
logging_windows.go [medium/bug] on windows, close log file before rotate May 25, 2017
manifest.go add loader config to bundle manifest maps Sep 12, 2017
misc.go [major] investigator API key authentication for API use Apr 11, 2017
runner.go [minor] initial commit of mig-runner Sep 15, 2015
version.go set a default version value for mig package Version variable Sep 13, 2017


MIG: Mozilla InvestiGator

Build Status

MIG is Mozilla's platform for investigative surgery of remote endpoints.

Quick Start w/ Docker

You can spin up a local-only MIG setup using docker. The container is not suitable for production use but lets you experiment with MIG quickly.

$ docker pull mozilla/mig
$ docker run -it mozilla/mig

Once inside the container, you can use the MIG tools to query a local agent, as such:

mig@5345268590c8:~$ mig file -t all -path /usr/bin -sha2 5c1956eba492b2c3fffd8d3e43324b5c477c22727385be226119f7ffc24aad3f
1 agents will be targeted. ctrl+c to cancel. launching in 5 4 3 2 1 GO
Following action ID 7978299359234.
 1 / 1 [=========================================================] 100.00% 0/s4s
100.0% done in 3.029105958s
1 sent, 1 done, 1 succeeded
ed11f485244a /usr/bin/wget [lastmodified:2016-07-05 15:32:42 +0000 UTC, mode:-rwxr-xr-x, size:419080] in search 's1'
1 agent has found results

To explore the capabilities of MIG, take a look at the CheatSheet.

What is this?

MIG is composed of agents installed on all systems of an infrastructure that are be queried in real-time to investigate the file-systems, network state, memory or configuration of endpoints.

Capability Linux MacOS Windows
file inspection check check check
network inspection check check (partial)
memory inspection check check check
vuln management check (planned) (planned)
log analysis (planned) (planned) (planned)
system auditing check (planned) (planned)

Imagine it is 7am on a saturday morning, and someone just released a critical vulnerability for your favorite PHP application. The vuln is already exploited and security groups are releasing indicators of compromise (IOCs). Your weekend isn't starting great, and the thought of manually inspecting thousands of systems isn't making it any better.

MIG can help. The signature of the vulnerable PHP app (the md5 of a file, a regex, or just a filename) can be searched for across all your systems using the file module. Similarly, IOCs such as specific log entries, backdoor files with md5 and sha1/2/3 hashes, IP addresses from botnets or byte strings in processes memories can be investigated using MIG. Suddenly, your weekend is looking a lot better. And with just a few commands, thousands of systems will be remotely investigated to verify that you're not at risk.

MIG command line demo

MIG agents are designed to be lightweight, secure, and easy to deploy so you can ask your favorite sysadmins to add it to a base deployment without fear of breaking the entire production network. All parameters are built into the agent at compile time, including the list and ACLs of authorized investigators. Security is enforced using PGP keys, and even if MIG's servers are compromised, as long as our keys are safe on your investigator's laptop, no one will break into the agents.

MIG is designed to be fast, and asynchronous. It uses AMQP to distribute actions to endpoints, and relies on Go channels to prevent components from blocking. Running actions and commands are stored in a Postgresql database and on disk cache, such that the reliability of the platform doesn't depend on long-running processes.

Speed is a strong requirement. Most actions will only take a few hundreds milliseconds to run on agents. Larger ones, for example when looking for a hash in a big directory, should run in less than a minute or two. All in all, an investigation usually completes in between 10 and 300 seconds.

Privacy and security are paramount. Agents never send raw data back to the platform, but only reply to questions instead. All actions are signed by GPG keys that are not stored in the platform, thus preventing a compromise from taking over the entire infrastructure.


MIG is built in Go and uses a REST API that receives signed JSON messages distributed to agents via RabbitMQ and stored in a Postgres database.

It is:

  • Massively Distributed means Fast.
  • Simple to deploy and Cross-Platform.
  • Secured using OpenPGP.
  • Respectful of privacy by never retrieving raw data from endpoints.

Check out this 10 minutes video for a more general presentation and a demo of the console interface.

MIG youtube video

MIG was recently presented at the SANS DFIR Summit in Austin, Tx. You can watch the recording below:

MIG @ DFIR Summit 2015


Join #mig on irc.mozilla.org (use a web client such as mibbit).

We also have a public mailing list at list@mig.ninja.


All documentation is available in the 'doc' directory and on http://mig.mozilla.org .


Assuming you have a dedicated Ubuntu system (like a VM), you can use the standalone installation script to deploy a test environment rapidly.

$ sudo apt-get install golang git

# must be >= 1.5
$ go version
go version go1.6.1 linux/amd64

$ export GOPATH=$HOME/go

$ mkdir $GOPATH

$ go get mig.ninja/mig

$ cd $GOPATH/src/mig.ninja/mig

$ bash tools/standalone_install.sh

This script will install all of the components MIG needs for a localhost only installation. Follow instructions at the end of the script to convert it to a real infrastructure, or read Installation & Configuration.