Mozilla Unveils Cross-Platform Memory Scanning Forensics Library

Mozilla has unveiled a new, cross platform memory inspection library that can be integrated into its Mozilla InvestiGator (MIG) endpoint security system.

Dubbed “Masche” by its creators, the memory forensics library runs on Linux, Mac OS and Windows and provides basic primitives for scanning the memory of processes without disrupting the normal operations of a system.

First created in 2013 by Julien Vehent, a member of the Operations Security team at Mozilla, MIG can inspect the file system and network information of thousands of hosts in parallel, which helps increase visibility across the infrastructure, but until now, lacked the ability to look into the memory of running processes, a need that often arises during security investigations, Vehent explained in a blog post.

“Compared with frameworks like Volatility or Rekall, Masche does not provide the same level of advanced forensics features. Instead, it focuses on searching for regexes and byte strings in the processes of large pools of systems, and does so live and very fast,” Vehent said.

Masche was developed over the last 6 months by Marco Vanotti, Patricio Palladino, Nahuel Lascano and Agustin Martinez Suñé, all students from University of Buenos Aires, Argentina.

According to Vehent, Mozilla is now integrating Masche as a module for MIG with the goal to deploy it across its infrastructure.

Developed as a fully open source project and published under the Mozilla Public License, the source code of Masche can be found on github.

Mozilla isn’t alone in looking for innovative ways to protect the thousands of servers across its infrastructure. In a move to bolster the security of its massive global server network, Facebook announced in August 2014 that it was acquiring Palo Alto, California-based cybersecurity startup PrivateCore. PrivateCore’s vCage software transparently secures data in use with full memory encryption for any application, any data, anywhere on standard x86 servers.