Google Rapid Response (GRR ) – Remote Live Forensics For Incident Response

GRR Rapid Response is an incident response framework focused on remote live forensics. It based on client server architecture, so there’s an agent which is installed on target systems and a Python server infrastructure that can manage and communicate with the agents.

There are agents for Windows, Linux and Mac OS X environments.

Overview

To function, an agent is deployed on systems that one might want to investigate. Once deployed, each system becomes a GRR client and they can start receiving messages from the frontend servers. Each message tells the client to run a specific client action and return the results. A client action is simply some well known code the agent knows how to execute (such as obtaining the list of files in a directory or reading a buffer from a file).

These actions are invoked server-side through what we call flows. A flow is a piece of server-side code that asks the GRR system to schedule remote calls to a client and has some additional logic to decide what to do based on the call results.

This flow is running on a client because a user initiated it. To do so, he probably used the web-based Graphical User Interface (GUI), which allows a GRR user to start flows for clients and review the results. Or he could also have used the text-based console to do the same.

Any flow that can be run on a single machine can also be run as a Hunt. A hunt allows running a flow on all, or any subset of machines talking to the GRR server.

Client Features

• Cross-platform support for Linux, OS X and Windows clients.
• Live remote memory analysis using open source memory drivers for Linux, OS X and Windows via the Rekall memory analysis framework.
• Powerful search and download capabilities for files and the Windows registry.
• Secure communication infrastructure designed for Internet deployment.
• Client automatic update support.
• Detailed monitoring of client CPU, memory, IO usage and self-imposed limits.

Server Features

• Fully fledged response capabilities handling most incident response and forensics tasks.
• OS-level and raw file system access, using the SleuthKit (TSK).
• Enterprise hunting (searching across a fleet of machines) support.
• Fully scalable back-end to handle very large deployments.
• Automated scheduling for recurring tasks.
• Fast and simple collection of hundreds of digital forensic artifacts.
• Asynchronous design allows future task scheduling for clients, designed to work with a large fleet of laptops.
• AngularJS Web UI and RESTful JSON API.
• Fully scriptable IPython console access.
• Basic system timelining features.
• Basic reporting infrastructure.

You can download GRR here:

1. Run the Docker image, info here: https://github.com/google/grr-doc/blob/master/docker.adoc
2. Install fresh on a Linux system, needs 1GB RAM (AWS free instance isn’t powerful enough):

Or read more here.