Diffy (DEPRECATED)

Diffy has been officially deprecated at Netflix.

This software is no longer maintained or supported. Diffy is a digital forensics and incident response (DFIR) tool created by Netflix's Security Intelligence and Response Team (SIRT). Diffy enables forensic investigators to quickly assess a compromise across cloud instances during an incident and prioritize those instances for follow-up actions. Currently, Diffy focuses on Linux instances operating within Amazon Web Services (AWS), but due to its plugin architecture, it has the potential to support multiple platforms and cloud providers.

'Diffy' gets its name because it assists human investigators in identifying differences between instances. Additionally, Alex noted that 'The Difforensicator' was unnecessarily complicated. For recent updates, please refer to the Releases section. For well-organized documentation, visit our Read the Docs site. Supported Technologies include AWS (AWS Systems Manager / SSM) and Local osquery. Each technology comes with its own plugins for targeting, collection, and persistence.

Effectively identifies and highlights outliers in behaviors that are relevant to security instances.

For example, you can use Diffy to identify which of your instances are listening on ports that you did not expect.