diffy

Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix's Security Intelligence and Response Team (SIRT). Diffy allows a forensic investigator to quickly scope a compromise across cloud instances during an incident, and triage those instances for followup actions. "Diffy" helps human investigators identify the differences between instances. Diffy is currently focused on Linux instances running within Amazon Web Services (AWS), but owing to our plugin structure, could support multiple platforms and cloud providers. Diffy is a differencing engine for digital forensics and incident response (DFIR) in the cloud. Collect data across multiple virtual machines and use variations from a baseline, and/or clustering, to scope a incident. Features: - Efficiently highlights outliers in security-relevant instance behavior. For example, you can use Diffy to tell you which of your instances are listening on an unexpected port, are running an unusual process, include a strange crontab entry, or have inserted a surprising kernel module. - Uses one, or both, of two methods to highlight differences: Collection of a "functional" baseline from a "clean" running instance, against which your instance group is compared, and Collection of a "clustered" baseline, in which all instances are surveyed, and outliers are made obvious. - Uses a modular plugin-based architecture. The program includes plugins for collection using osquery via AWS Systems Manager (formerly known as Simple Systems Manager or SSM).