Mozilla peers into processes with student-built forensics probe
Masche goes open source for Windows, Mac, and Linux.
Student hackers from the University of Buenos Aires have developed with Mozilla an open-source forensics tool to analyse memory of running processes.
Computer science quartet Marco Vanotti, Patricio Palladino, Nahuel Lascano, and Agustin Martinez Suñé are part of Masche Team, who are "highly motivated by coding, security and free software" and over the last six months have built the tool under Mozilla's Winter of Security coding mission.
Mozilla operational security bod Julien Vehent says the Masche library fills a gap in the company's MIG (Mozilla Investigator) endpoint security platform.
"MIG can inspect the file system and network information of thousands of hosts in parallel, which greatly helps increase visibility across the infrastructure," Vehnet says.
"But until recently, it lacked the ability to look into the memory of running processes, a need that often arises during security investigations.
"Masche provides basic primitives for scanning the memory of processes without disrupting the normal operations of a system."
Vehnet says Mozilla is integrating the tool as a module in its MIG platform aiming to use it across its infrastructure and bolster its scanning capabilities.
The complex scanning tool is not a fully fledged forensics platform but rather a light and fast means of searching regular expressions and byte strings in the processes of a large number of systems.
Vehent says the students easily beat project expectations in what was a difficult task to build and test the tool across Windows, OS X and Linux.
In a presentation Vanotti says the group may work on developing a kernel module to avoid the need for APIs, examine ways to increase its speed, and to examine forms of encoding to uncover hiding techniques. ®