Army goes open source with forensic analysis tool

Effective cyber defense has never been more sought after, with leaders in the public and private sectors seeking more efficient and robust methods to protect sensitive data. One key to building proficient cyber defenses is using metrics to grasp what happens how breaches and threats work. The Army is lending a hand on this front, releasing a forensic analysis code called Dshell, which it has used for five years to help understand compromises of Defense Department networks, to the public-access site GitHub.

Since the Army Research Laboratory released a version of Dshell to GitHub on Dec. 17, 2014, it has been viewed more than 2,000 times, according to an ARL release. Dshell allows users to evaluate and develop parameters specific to their own data breaches. Key features of the tool include robust stream reassembly, IPv4 and IPv6 support, custom output handlers and chainable decoders.      

"Outside of government there are a wide variety of cyber threats that are similar to what we face here,” William Glodek, ARL’s network security branch chief, said in the release. "Dshell can help facilitate the transition of knowledge and understanding to our partners in academia and industry who face the same problems.” 

For the Army, releasing the data to the public not only bolsters transparency and helps other organizations with forensic analysis, but it could allow outside developers to provide the Army with tips to improve the Dshell tool. 

Those interested in running Dshell should be mindful of certain network prerequisites such as Linux (developed on Ubuntu 12.04), Python 2.7, pygeoip GNU lesser GPL, PyCrypto custom license, dpkt new BSD license, IPy, BSD 2-Clause license and pypcap, new BSD license.