MIG: Mozilla InvestiGator

Mozilla's real-time digital forensics and investigation platform.

Get the code Documentation Mailing List

MIG logo

This page contains a lot of information about MIG. Start with the cheat sheet to get an idea of capabilities, then read "Concepts & Internal Components". You can also ask your questions in the #mig channel on irc.mozilla.org, and on the mailing List.

Start Here -> MIG Cheat Sheet


Concepts & Internal Components

The essential documentation to understand the architecture of MIG and the role of its various parts.

Configuration Guide

A step by step guide to deploy a MIG platform, from the agent to the database.


Clients are the interfaces that investigators use on their local machines to interact with MIG.

The MIG Command Line

The MIG command line is the basic and most efficient interface to run investigations.


mig-console is a terminal readline-based interface that provides advanced features to interact with MIG. It can be installed via go get mig.ninja/mig/client/mig-console, but make sure you have readline installed on your local machine.

MIG Runner

MIG Runner is an automated client used to run actions without human interaction.

Modules documentation


The file module provides a basic tools to inspect a file system. It is inspired by "find" on Unix, and implements a subset of its functionalities with a focus on speed of execution.


The memory module provides introspection into the memory of running processes. It is based on the Masche library and supports scanning of userland processes on Linux, MacOS and Windows.


The netstat module exposes the ARP, IP, TCP and UDP status of a live system to investigators.


The pkg module searches packages installed on an agent system that match supplied regular expressions.


The scribe module provides host-based analysis based on a JSON document containing a series of tests. The scribe module is intended to help with:

  • Executing policy checks on systems, for example as part of using MIG for vulnerability management
  • Execute more advanced file content tests involving dependencies.


A module to perform ICMP, TCP and UDP pings from endpoints.


Timedrift checks endpoints local times against NTP servers, useful to find endpoints that are not in sync.

Workers documentation

Agent Intel

A worker that publishes details about endpoints to MozDef.

Developers documentation

Agent architecture

The MIG Agent is the master process that calls investigation modules. This document describes elements of its architecture. It is complementary to the modules documentation.

Writing modules

At the core of MIG are modules that perform the investigation actions inside the agent. Writing your own modules is described in this document.

Writing persistent modules

Persistent modules run continuously in a child process of the mig-agent to monitor a system's activity, like watching a file system or processing logs.

API endpoints

Interactions between an investigator's console and the MIG platform is done through a REST api. This page describe its various endpoints.

Database documentation

MIG stores data in Postgresql. This page explains the database structure as well as some example queries.