Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Army Releases Code For Internal Forensics Framework

Posted by Soulskill on from the see-what-kind-of-code-your-tax-dollars-can-buy dept.

An anonymous reader writes: The U.S. Army Research Laboratory in Maryland has released on GitHub a version of a Python-based internal forensics tool which the army itself has been using for five years. Dshell is a Linux-based framework designed to help investigators identify and examine compromised IT environments. One of the intentions of the open-sourcing of the project is to involve community developers in the creation of new modules for the framework. The official release indicates that the version of Dshell released to Github is not necessarily the same one that the Army uses, or at least that the module package might be pared down from the Army-issued software.

11 of 37 comments (clear)

  1. Trust by dotancohen · · Score: 4, Funny

    I'm not sure that I trust this "open source" code from, of all places the US Army, available on Github. Does anyone have a compiled binary for Kubuntu that I could try?

    --
    It is dangerous to be right when the government is wrong.
    1. Re:Trust by halivar · · Score: 4, Funny

      GP was probably joking, what with the request for a compiled, black-box binary. At least, I hope to god so. Sufficiently advanced stupidity is indistinguishable from satire, after all.

    2. Re:Trust by weilawei · · Score: 2

      There are summaries? What are these "articles" you speak of?

    3. Re:Trust by halivar · · Score: 2, Funny

      Fucking Python? Is that different than regular Python? Does it have new language features?

    4. Re:Trust by weilawei · · Score: 2

      It's like having a super-long prehensile finger with a tongue at the end. You do the math.

  2. Re:Is Encase worried yet? by OverlordQ · · Score: 2

    This looks like less Encase and more WireShark/pcap post processing.

    --
    Your hair look like poop, Bob! - Wanker.
  3. Re:Is Encase worried yet? by plover · · Score: 3, Insightful

    Yeah, the more I dig into it, the more it looks like an investigative tool than an evidence analysis tool. That's pretty cool, but as you say, it looks a lot like Wireshark. Still, when you're facing an unknown attacker, it may not hurt to have a couple different views on the problem.

    --
    John
  4. Re:thats right, you too can help! by halivar · · Score: 4, Funny

    Wow, the same guys? I didn't know Python coders were that active. Color me impressed.

  5. it would have been nice... by dremspider · · Score: 4, Interesting

    If instead of developing from the ground up they had simply invested their time and effort into enhancing an already existing project that already does more.. https://www.bro.org/

  6. Re:thats right, you too can help! by HiThere · · Score: 2

    Well, if it's on GitHub they won't be the only people who benefit. You might as well argue against building hammers because the army uses some. (OK, that's not *quite* fair. It is a specialized tool. But not *that* specialized.)

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  7. Re:Is Encase worried yet? by Solozerk · · Score: 3, Interesting

    It's a Python frontend to the wireshark filters accessible from a GUI console. Whoop dee doo !
    That being said, it also includes some features for tracking continuous sessions based on L7 filtering, provides a limited GeoIP resolution, and so on - and it at least provides a framework for developing more advanced analysis.

    As others have said since this release, it is at least an open source, base framework for developing more advanced stuff, and it provides library integration points for other software. As basic as it is, it might provide a common framework for an open development of an advanced traffic analysis tool that'll be open (after careful reading of the code, any relatively good expert would be able to provide a similarly capable code in a matter of days and probably has, as an interesting case study/exercise previously - I know I did, limited to HTTP analysis but still). That can only be a good thing, if only to regroup efforts in that direction to provide a universal traffic analysis tool for forensics and so on.

    Any code being released open source is always a plus :-) It's nice to see even the US army realizes this.