Mozilla, which operates thousands of servers to build products and run services for its users, has developed and launched Masche, a forensics tool for examining the memory of running processes. It’s a need that often arises during security investigations.
The Firefox-creator has planned Masche to be part of its Mozilla InvestiGator (MIG) tool, a cross-platform endpoint security system. MIG can inspect the file system and network information of thousands of hosts in parallel, to increase visibility across the infrastructure.
The Mozilla Winter of Security team has, over the last six months, designed and built the memory forensics library that runs on Linux, Mac OS and Windows. Mozilla has made the source code open source under the Mozilla Public License, version 2.0, and has posted it on GitHub.
“Masche provides basic primitives for scanning the memory of processes without disrupting the normal operations of a system,” said Julien Vehent, a Mozilla OpSec member, in a blog. “Compared with frameworks like Volatility or Rekall, Masche does not provide the same level of advanced forensics features. Instead, it focuses on searching for regexes and byte strings in the processes of large pools of systems, and does so live and very fast.”
Mozilla is in the process of integrating Masche as a module for MIG with the goal to deploy it across its infrastructure.
“As we use it more for live memory forensics, we will continue to improve its scanning capabilities and contribute the results back to the community,” Vehent said.