{"id":13430345,"url":"https://github.com/mozilla/mig","last_synced_at":"2025-09-28T23:30:45.606Z","repository":{"id":10528047,"uuid":"12719968","full_name":"mozilla/mig","owner":"mozilla","description":"Distributed \u0026 real time digital forensics at the speed of the cloud","archived":true,"fork":false,"pushed_at":"2019-09-13T23:40:11.000Z","size":32172,"stargazers_count":1201,"open_issues_count":71,"forks_count":237,"subscribers_count":93,"default_branch":"master","last_synced_at":"2024-05-22T19:56:22.599Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"http://mig.mozilla.org/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mozilla.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2013-09-10T04:04:40.000Z","updated_at":"2024-04-28T12:01:11.000Z","dependencies_parsed_at":"2022-08-07T05:15:52.278Z","dependency_job_id":null,"html_url":"https://github.com/mozilla/mig","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozilla%2Fmig","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozilla%2Fmig/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozilla%2Fmig/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozilla%2Fmig/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mozilla","download_url":"https://codeload.github.com/mozilla/mig/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234569774,"owners_count":18854133,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T02:00:52.483Z","updated_at":"2025-09-28T23:30:40.530Z","avatar_url":"https://github.com/mozilla.png","language":"Go","readme":"MIG: Mozilla InvestiGator\n=========================\n\u003cimg style=\"float: right\" src=\"doc/.files/MIG-logo-CC-small.jpg\" size=\"300px\"\u003e\n\nMIG is Mozilla's platform for investigative surgery of remote endpoints.\n\n⚠️ Deprecation Notice ⚠️\n-------------------------\n\nMozilla is no longer maintaining the Mozilla InvestiGator (MIG) project.\n\nMozilla is also no longer making use of this code internally.\n\nYou are welcome to use this code as is with no warranty. Please fork it to continue development.\n\n\nQuick Start w/ Docker\n---------------------\n\nYou can spin up a local-only MIG setup using docker. The container is not suitable for production use but\nlets you experiment with MIG quickly, providing a single container environment that has most of the MIG components\navailable.\n\nTo pull from Docker Hub:\n\n```bash\n$ docker pull mozilla/mig\n$ docker run -it mozilla/mig\n```\n\nOr, if you have the source checked out in your GOPATH you can build your own image:\n\n```bash\n$ cd $GOPATH/src/github.com/mozilla/mig\n$ docker build -t mozilla/mig:latest .\n$ docker run -it mozilla/mig\n```\n\nOnce inside the container, you can use the MIG tools to query a local agent, as such:\n\n```bash\nmig@5345268590c8:~$ /go/bin/mig file -t all -path /usr/bin -sha2 5c1956eba492b2c3fffd8d3e43324b5c477c22727385be226119f7ffc24aad3f\n1 agents will be targeted. ctrl+c to cancel. launching in 5 4 3 2 1 GO\nFollowing action ID 7978299359234.\n 1 / 1 [=========================================================] 100.00% 0/s4s\n100.0% done in 3.029105958s\n1 sent, 1 done, 1 succeeded\ned11f485244a /usr/bin/wget [lastmodified:2016-07-05 15:32:42 +0000 UTC, mode:-rwxr-xr-x, size:419080] in search 's1'\n1 agent has found results\n```\n\nTo explore the capabilities of MIG, take a look at the [CheatSheet](https://github.com/mozilla/mig/blob/master/doc/cheatsheet.rst).\n\nWhat is this?\n-------------\n\nMIG is composed of agents installed on all systems of an infrastructure that are\nbe queried in real-time to investigate the file-systems, network state, memory\nor configuration of endpoints.\n\n| Capability        | Linux | MacOS | Windows |\n| ----------------- | ----- | ----- | ------- |\n| file inspection   | ![check](doc/.files/check_mark_green.png) | ![check](doc/.files/check_mark_green.png) | ![check](doc/.files/check_mark_green.png) |\n| network inspection| ![check](doc/.files/check_mark_green.png) | ![check](doc/.files/check_mark_green.png) | (partial) |\n| memory inspection | ![check](doc/.files/check_mark_green.png) | ![check](doc/.files/check_mark_green.png) | ![check](doc/.files/check_mark_green.png) |\n| vuln management   | ![check](doc/.files/check_mark_green.png) | (planned) | (planned) |\n| log analysis      | (planned) | (planned) | (planned) |\n| system auditing   | ![check](doc/.files/check_mark_green.png) | (planned) | (planned) |\n\nImagine it is 7am on a saturday morning, and someone just released a\ncritical vulnerability for your favorite PHP application. The vuln is already\nexploited and security groups are releasing indicators of compromise (IOCs).\nYour weekend isn't starting great, and the thought of manually inspecting\nthousands of systems isn't making it any better.\n\nMIG can help. The signature of the vulnerable PHP app (the md5 of a file, a regex,\nor just a filename) can be searched for across all your systems using\nthe `file` module. Similarly, IOCs such as specific log entries, backdoor files\nwith md5 and sha1/2/3 hashes, IP addresses from botnets or byte\nstrings in processes memories can be investigated using MIG. Suddenly, your\nweekend is looking a lot better. And with just a few commands, thousands of systems\nwill be remotely investigated to verify that you're not at risk.\n\n![MIG command line demo](doc/.files/mig-cmd-demo.gif)\n\nMIG agents are designed to be lightweight, secure, and easy to deploy so you can\nask your favorite sysadmins to add it to a base deployment without fear of\nbreaking the entire production network. All parameters are built into the agent\nat compile time, including the list and ACLs of authorized investigators.\nSecurity is enforced using PGP keys, and even if MIG's servers are compromised,\nas long as our keys are safe on your investigator's laptop, no one will break\ninto the agents.\n\nMIG is designed to be fast, and asynchronous. It uses AMQP to distribute actions\nto endpoints, and relies on Go channels to prevent components from blocking.\nRunning actions and commands are stored in a Postgresql database and on disk cache,\nsuch that the reliability of the platform doesn't depend on long-running processes.\n\nSpeed is a strong requirement. Most actions will only take a few hundreds\nmilliseconds to run on agents. Larger ones, for example when looking for a hash in\na big directory, should run in less than a minute or two. All in all, an\ninvestigation usually completes in between 10 and 300 seconds.\n\nPrivacy and security are paramount. Agents never send raw data back to the\nplatform, but only reply to questions instead. All actions are signed by GPG\nkeys that are not stored in the platform, thus preventing a compromise from\ntaking over the entire infrastructure.\n\nTechnology\n----------\nMIG is built in Go and uses a REST API that receives signed JSON messages distributed\nto agents via RabbitMQ and stored in a Postgres database.\n\nIt is:\n* Massively Distributed means Fast.\n* Simple to deploy and Cross-Platform.\n* Secured using OpenPGP.\n* Respectful of privacy by never retrieving raw data from endpoints.\n\nCheck out this 10 minutes video for a more general presentation and a demo of\nthe console interface.\n\n[![MIG youtube video](http://img.youtube.com/vi/wJwj5YB6FFA/0.jpg)](http://www.youtube.com/watch?v=wJwj5YB6FFA)\n\nMIG was recently presented at the SANS DFIR Summit in Austin, Tx. You can watch the recording below:\n\n[![MIG @ DFIR Summit 2015](http://img.youtube.com/vi/pLyKPf3VsxM/0.jpg)](http://www.youtube.com/watch?v=pLyKPf3VsxM)\n\nDiscussion\n----------\nJoin **#mig** on [irc.mozilla.org](https://wiki.mozilla.org/IRC) (use a web\nclient such as [mibbit](https://chat.mibbit.com)).\n\nDocumentation\n-------------\nAll documentation is available in the 'doc' directory and on http://mig.mozilla.org .\n* [Concepts \u0026 Internal Components](doc/concepts.rst)\n* [Installation \u0026 Configuration](doc/configuration.rst)\n","funding_links":[],"categories":["Go","Tools","\u003ca id=\"e1fc1d87056438f82268742dc2ba08f5\"\u003e\u003c/a\u003e事件响应\u0026\u0026取证\u0026\u0026内存取证\u0026\u0026数字取证","Challenges","Uncategorized","Hunting","\u003ca id=\"ecb63dfb62722feb6d43a9506515b4e3\"\u003e\u003c/a\u003e新添加"],"sub_categories":["Live Forensics","\u003ca id=\"1fc5d3621bb13d878f337c8031396484\"\u003e\u003c/a\u003e取证\u0026\u0026Forensics\u0026\u0026数字取证\u0026\u0026内存取证","Live forensics","Uncategorized"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmozilla%2Fmig","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmozilla%2Fmig","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmozilla%2Fmig/lists"}