Mercenary-Linux is a "new-era" lightweight distribution of (mostly) Dockerized tools built for field expedient hunting, forensics, and malware analysis. Mercenary-Linux came about as all good ideas usually do: a solution to a problem.
The unorganized and inefficient methods and platforms for hunt team analysis without a method to seamlessly coordinate and correlate our information during hunt team operations.
This problem birthed MHF (Mercenary Hunt Framework) which allows the hunt team to easily perform hunt operations within a framework that aggregates and shares data in a centralized repository using neo4j.Next we created relational algorithms to run on the backend against our data! This provided us with an automated way to more quickly and efficiently put our findings to use.
The longer we worked on the framework, the larger and more useful it became. That brought about more tools and more complexity. To alleviate that, we came up with Mercenary-Linux! We decided to aggregate our most useful tools to a single distro so that we could incorporate additional tools into the framework and standardize the output so that our back-end analytics could ingest it. We also used that as an opportunity address another problem, which was a universal distro that could do all levels of forensics across each platform. So whether you’re doing network forensics, or analyzing a Windows or Nix system; Mercenary-Linux can more than handle the task. This made it easier to offer the framework already installed, on a lightweight Linux distro. This would ensure that all the dependencies are installed, and make the framework much easier to use and maintain.
But, that’s not all folks! We utilized docker for many of the tools to avoid the aches and pains of using tools that require different versions of the same dependencies. Lets admit, when you need to use a tool—you need to use a tool. The last thing you want to do is spend an hour (or more) downloading and configuring a tool just to use it once. Or even worse, download a tool and spend hours to configure it, just for it to end up not working. To alleviate those issues with our framework we decided to provide the framework, modules, and correlation separately within one concise distribution. We’re proud to say that we’ve built one of the most universal and lightweight distros for hunting, forensics, and malware analysis!