Dshell

Dshell is an open source, Python-based, forensic analysis framework developed by the U.S. Army Research Laboratory, MD. This tool provides users with the ability to develop custom analysis modules which helps them understand events of cyber intrusion. This framework handles stream reassembly of both IPv4 and IPv6 network traffic and also includes geolocation and IP-to-ASN mapping for each connection. Additionally, the framework plug-ins are designed to aid in the understanding of network traffic and present results to the user in a concise, useful manner. Since Dshell is written entirely in Python, the code base can be customized to particular problems by modifying an existing decoder to extract different information from existing protocols.

The U.S. Army Research Laboratory (ARL) released a version of Dshell to GitHub social coding website on December 17, 2014, with more than 100 downloads and 2,000 unique visitors in 18 countries. Before it was publicly released, Dshell had a small, select community of users in several government organizations. Users could use the tool to find the exact information they needed from network data including looking up names, reassembled website requests or decoded malware traffic. ARL chose to release Dshell to GitHub because sharing it with the world created more security teams gaining another specialized tool to keep their networks secure. Furthermore, increasing the security of the Internet as a whole by increasing the number of skilled eyes looking for bugs and potential improvements throughout the code.

In 2014, NASA released more than 1,000 open source projects. Other agencies, such as the National Security Agency, the National Guard and the Air Force Research Laboratory joined shortly after the following year.

GitHub was chosen for Dshell because it allows members to easily download software code, store edits, and provide a mechanism to offer feedback to the original designer. Additionally, rolling enhancements into the official version make it easier to share the software across organizations, bypassing constant emailing or sending CDs. As of June 2016, users have created more than 11,000 copies of the tool and have offered approximately 62 suggested modifications to the original software.

There are additional modules within the Dshell framework that can be accessed to increase network security; however, the ability to rapidly develop and share analytical modules is the core strength of the framework.