14 DAY TRIAL // Mozilla has published an open-source memory forensics tool for severs called Masche (short for Memory Analysis Suite for Checking the Harmony of Endpoints) that scans the memory of processes without impacting the normal activity of the system.
The utility is a library part of the Mozilla InvestiGator (MIG) endpoint security system and works on Windows, Linux and OS X machines.
Four computer science students built it in 6 months
MIG has been designed to permit investigators to gather data from a large number of systems at the same time, a technique that cuts down the incident verification time and for other daily security activities.
The platform is modular in nature and retrieves information from agents distributed across the systems of an infrastructure.
Masche was designed and built by a group of students (Marco Vanotti, Patricio Palladino, Nahuel Lascano and Agustin Martinez Suñé) from the University of Buenos Aires, Argentina.
The students worked on the project for six months. They are part of part of Mozilla Winter of Security program, whose declared mission is to find less invasive and easier-to-ship memory inspection methods.
Masche is not advanced but it is very fast
“Compared with frameworks like Volatility or Rekall, Masche does not provide the same level of advanced forensics features. Instead, it focuses on searching for regexes and byte strings in the processes of large pools of systems, and does so live and very fast,” Mozilla’s Julien Vehent explains in a blog post.
Masche’ capabilities include searching for processes that loaded a specific library and accessing the memory of a certain process. It also includes “pgrep,” a function also available on Linux and BSD, which allows searching for processes that fit the patterns provided in a provided regular expression.
Vehent says that complete implementation of this scanning solution on three different operating systems was far from an easy task.
Masche is distributed under the Mozilla Public License, version 2.0, and it can be obtained from GitHub, where instructions for compiling it are also available.