MIG: Mozilla InvestiGator

Mozilla's platform for real-time digital forensics and incident response of modern infrastructures

Get the code Documentation Tracker About

MIG logo

MIG is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security.

MIG is composed of agents installed on all systems of an infrastructure. The agents can be queried in real-time using a messenging protocol implemented in the MIG Scheduler. MIG has an API, a database, RabbitMQ relays, a terminal console and command line clients. It allows investigators to send actions to pools of agents, and check for indicator of compromision, verify the state of a configuration, block an account, create a firewall rule, update a blacklist and so on.

Watch on YouTube

It's an army of Sherlock Holmes, ready to interrogate your infrastructure within seconds.


Search for IOCs in real-time

For example: an investigator launches an action to search for an apache module that matches a given md5 value. MIG will register the action, find all the relevant targets and send commands to each target agent with the detail of the action. Each agent then individually runs the action using built-in modules, and sends the results back to the MIG platform.

Easy to deploy, easy to operate

Agents are designed to be lightweight, secure, and easy to deploy. All parameters are built into the agent at compile time, include the list of investigator's public keys. The agent binary is statically compiled for a target platform and can be shipped without any external dependency. Deploying an agent is as easy as running
wget -O /sbin/mig-agent https://fileserver/mig-agent && sudo /sbin/mig-agent

Fast and asynchronous

MIG is designed to be fast, and asynchronous. It uses AMQP to distribute actions to endpoints, and relies on Go channels to prevent components from blocking. Running actions and commands are stored on disk cache, and don't rely on running processes for reliability.

Speed is a strong requirement. Most actions will only take a few hundreds milliseconds to run. Larger ones, for example when looking for a hash in a large directory, should run in less than a minute or two.

Strong security primitives

Privacy and security are paramount. Agents never send raw data back to the platform, but only reply to questions instead. All actions are signed by GPG keys that are not stored in the platform, thus preventing a compromision from taking over the entire infrastructure.


Mozilla InvestiGator uses signed JSON actions. An action can represent an IOC (Indicator of Compromise), or a task to perform on an endpoint (update a firewall, create a user account, ...). The JSON format is designed to be easy to read and easy to write without the help of a program. The long term goal is to allow investigators to share documents easily.

            "name": "Linux backdoor, found on compromised host in 2014",
            "description": {
                "author": "Julien Vehent",
                "email": "julien@linuxwall.info",
                "revision": 201409031800
            "target": "agents.os = 'linux'",
            "threat": {
                "level": "alert",
                "type": "system",
                "family": "backdoor"
            "operations": [
                    "module": "filechecker",
                    "parameters": {
                        "searches": {
                            "backdoors": {
                                "paths": [
                                "sha256": [
            "syntaxversion": 2


The console is the terminal interface that allows investigators to control MIG. It is terminal based, and runs on Linux and MacOS.