Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Army Releases Code For Internal Forensics Framework

Posted by Soulskill on from the see-what-kind-of-code-your-tax-dollars-can-buy dept.

An anonymous reader writes: The U.S. Army Research Laboratory in Maryland has released on GitHub a version of a Python-based internal forensics tool which the army itself has been using for five years. Dshell is a Linux-based framework designed to help investigators identify and examine compromised IT environments. One of the intentions of the open-sourcing of the project is to involve community developers in the creation of new modules for the framework. The official release indicates that the version of Dshell released to Github is not necessarily the same one that the Army uses, or at least that the module package might be pared down from the Army-issued software.

37 comments

  1. Is Encase worried yet? by plover · · Score: 1

    Being produced by the Army, this has the chance to be taken seriously enough by companies that are currently beholden to Encase. I know Autopsy and the Forensic Toolkit have been around for quite a while, but I haven't seen them really take off as a serious competitor.

    --
    John
    1. Re:Is Encase worried yet? by OverlordQ · · Score: 2

      This looks like less Encase and more WireShark/pcap post processing.

      --
      Your hair look like poop, Bob! - Wanker.
    2. Re:Is Encase worried yet? by plover · · Score: 3, Insightful

      Yeah, the more I dig into it, the more it looks like an investigative tool than an evidence analysis tool. That's pretty cool, but as you say, it looks a lot like Wireshark. Still, when you're facing an unknown attacker, it may not hurt to have a couple different views on the problem.

      --
      John
    3. Re: Is Encase worried yet? by Anonymous Coward · · Score: 0

      The most pronounced reason for the broad adoption of Encase isn't any particular feature set, necessarily, but rather the established precedence of its integrity as a forensic tool. Data acquired properly with EnCase along with proper documentation and evidence handling is almost universally known to our courts as being forensically sound. Forensic soundness can be more difficult to demonstrate to courts when that precedent isn't established.

    4. Re:Is Encase worried yet? by bytethese · · Score: 1

      I don't think EnCase will worry yet. When people ask, I always say that EnCase is the Windows of forensic software. Windows may suck, but it's still the "gold standard" tool to use in forensics examinations, FTK being second. There's always a niche tho, like BlackLight for Mac examinations. I'm not much of a developer but I would love to poke around with Dshell.

    5. Re:Is Encase worried yet? by Solozerk · · Score: 3, Interesting

      It's a Python frontend to the wireshark filters accessible from a GUI console. Whoop dee doo !
      That being said, it also includes some features for tracking continuous sessions based on L7 filtering, provides a limited GeoIP resolution, and so on - and it at least provides a framework for developing more advanced analysis.

      As others have said since this release, it is at least an open source, base framework for developing more advanced stuff, and it provides library integration points for other software. As basic as it is, it might provide a common framework for an open development of an advanced traffic analysis tool that'll be open (after careful reading of the code, any relatively good expert would be able to provide a similarly capable code in a matter of days and probably has, as an interesting case study/exercise previously - I know I did, limited to HTTP analysis but still). That can only be a good thing, if only to regroup efforts in that direction to provide a universal traffic analysis tool for forensics and so on.

      Any code being released open source is always a plus :-) It's nice to see even the US army realizes this.

  2. There goes the Government again! by Anonymous Coward · · Score: 1

    Destroying free enterprise by releasing stuff for FREE that was paid for by EVIL taxes!

    Don't they remember the words of our Founding Fathers who said "Four Score and Seven Years ago, we asked what can our country do for us that would show e have nothing to fear except death and taxes, but would instead create a more perfect capitalism for Tippacanoe and Tyler too!"

    1. Re:There goes the Government again! by Anonymous Coward · · Score: 1

      Well, I suppose a free-market capitalist ought to be offended by this project, if he or she were a caricature living in your head...

    2. Re:There goes the Government again! by Anonymous Coward · · Score: 0

      What? Somebody is living in my head? That's my property! I demand they be evicted!

    3. Re:There goes the Government again! by Anonymous Coward · · Score: 0

      No, you're doing it wrong - don't evict them - they're your intellectual property!

      Instead, demand that every flesh-n-blood capitalist out there pay you licensing fees.

      You owe me 2 cents, BTW. You're welcome!

  3. Trust by dotancohen · · Score: 4, Funny

    I'm not sure that I trust this "open source" code from, of all places the US Army, available on Github. Does anyone have a compiled binary for Kubuntu that I could try?

    --
    It is dangerous to be right when the government is wrong.
    1. Re:Trust by CrimsonAvenger · · Score: 1

      So, read the code and decide for yourself whether it's safe. I thought that was the point of Open Source.

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    2. Re:Trust by Anonymous Coward · · Score: 0

      Whoooosh...

    3. Re:Trust by Anonymous Coward · · Score: 0

      You did read the part where it's written in fucking Python, right?

      Nah, of course you didn't. This is DICEdot. Not only do the low ID lusers not bother reading the articles, they don't even bother reading the fucking summaries.

    4. Re:Trust by halivar · · Score: 4, Funny

      GP was probably joking, what with the request for a compiled, black-box binary. At least, I hope to god so. Sufficiently advanced stupidity is indistinguishable from satire, after all.

    5. Re:Trust by kogut · · Score: 1

      Wooosh.

    6. Re:Trust by weilawei · · Score: 2

      There are summaries? What are these "articles" you speak of?

    7. Re:Trust by halivar · · Score: 2, Funny

      Fucking Python? Is that different than regular Python? Does it have new language features?

    8. Re:Trust by weilawei · · Score: 2

      It's like having a super-long prehensile finger with a tongue at the end. You do the math.

    9. Re:Trust by Anonymous Coward · · Score: 0

      You do the math.

      Let me guess... multiplication?

      Everyone knows that you have to learn Forth to get laid. Go Forth, and multiply!

    10. Re:Trust by HiThere · · Score: 1

      FWIW, Python *does* compile the code it executes, and saves it as *.pyc files. True, it's only compiled for the Python virtual machine, but it's still compiled...and difficult to read.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    11. Re:Trust by Anonymous Coward · · Score: 0

      More specifically any parody of extremism is indistinguishable from extremism. Poe's Law.

  4. LICENSE.txt by Anonymous Coward · · Score: 0

    https://github.com/USArmyResearchLab/Dshell/blob/master/LICENSE.txt

    This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC 105.

    However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. http://opensource.org/licenses/mit-license.php. Under that license, permission is granted free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the conditions that any appropriate copyright notices and this permission notice are included in all copies or substantial portions of the Software.

    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

  5. What a bunch of crap by Anonymous Coward · · Score: 1

    A string of open source tools marginally better than Wireshark?! This is the state of forensics in the Army? I'm fucking horrified.
    Go look at commercial solutions from Blue Coat or RSA for full packet capture and analysis.

    This dshell stuff sucks rocks.

    1. Re:What a bunch of crap by Anonymous Coward · · Score: 0

      Silly army. They thought they were the air force for a minute!

      Seriously, though, they let people use computers in the army? I thought the army was where poor people go for blue collar job training.

  6. Re:thats right, you too can help! by halivar · · Score: 4, Funny

    Wow, the same guys? I didn't know Python coders were that active. Color me impressed.

  7. Re:thats right, you too can be a fatuous moron by Anonymous Coward · · Score: 0

    ^^^

  8. Re:thats right, you too can help! by Anonymous Coward · · Score: 0

    Wow, the same guys? I didn't know Python coders were that active. Color me impressed.

    Old coders never die, they are kept in the Army Long Term cold storage. In case of emergency press Revive button.

  9. md5deep (so much more than md5) also came from mil by Anonymous Coward · · Score: 0

    https://github.com/jessek/hash...

    this came from someone working in the us mil and it's an amazing program. not all .mil projects are bad.

  10. it would have been nice... by dremspider · · Score: 4, Interesting

    If instead of developing from the ground up they had simply invested their time and effort into enhancing an already existing project that already does more.. https://www.bro.org/

  11. Re:thats right, you too can help! by HiThere · · Score: 2

    Well, if it's on GitHub they won't be the only people who benefit. You might as well argue against building hammers because the army uses some. (OK, that's not *quite* fair. It is a specialized tool. But not *that* specialized.)

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  12. Look, mommie - a troll! by mmell · · Score: 1

    Yippee!

  13. Re:md5deep (so much more than md5) also came from by Anonymous Coward · · Score: 0

    so did tor

  14. Hard up by Areyoukiddingme · · Score: 1

    The most bloated budget in the history of the world wants freebies from software developers? Really? Domain/framework-specific freebies? Thank you for your contribution to open source, US Army, but judging by the fact Slashdot can barely muster the will to snark, I don't think you're going to get a lot of contributions.

  15. Navy version by belthize · · Score: 1

    That's nice and all but when can we get the NCIS version. I've been watching their weekly documentary and they have some damned impressive software.

    1. Re:Navy version by Anonymous Coward · · Score: 0

      That's the Flash version, not Python. Will be HTML 5 running in full-screen Chrome soon.