WebJob was initially written to assist Incident Response Handlers
in their efforts to investigate potentially compromised systems.
Often, these Handlers must work around the constraints imposed by
the surrounding environment. For example, lack of physical or shell
access, untrusted diagnostic programs, lack of encryption, many
machines in need of investigation, and so on. Therefore, I felt
that Handlers, or their eyes and ears in the field, needed an
efficient way to import and run known good diagnostic tools when
investigating live systems.
WebJob is lightweight, portable, and easy to use. This makes
it a good candidate for establishing a foothold on the target system.
Once there, all that is needed to begin diagnostics is a small
configuration file and access to a remote WebJob server. When
there are many machines to investigate, WebJob can be deployed
in parallel, and all harvested output can be directed to and
aggregated on a single server. This reduces the amount of manual
data processing involved in collecting, tagging, and storing evidence.
It also significantly reduces the amount time, effort, and resources
needed to arrive at a determination.
Message digest (i.e., --hashsum) support first appeared in WebJob
GetHook and Jid (Job ID) support first appeared in WebJob 1.4.0.
Digital Signature Verification (DSV) support and server-side GET/PUT
triggers first appeared in WebJob 1.6.0.
Proxy support, get URL (i.e., --get-url) support, and dynamic content
via server-side GET hooks first appeared in WebJob 1.7.0.
Queueing support via Job Queue Directories (JQD) and embedded Perl
scripting (i.e., --run-embedded) first appeared in WebJob 1.8.0.