Google Rapid Response (GRR ) – Remote Live Forensics For Incident Response

Outsmart Malicious Hackers


GRR Rapid Response is an incident response framework focused on remote live forensics. It based on client server architecture, so there’s an agent which is installed on target systems and a Python server infrastructure that can manage and communicate with the agents.

Google Rapid Response (GRR ) - Remote Live Forensics For Incident Response

There are agents for Windows, Linux and Mac OS X environments.

Overview

To function, an agent is deployed on systems that one might want to investigate. Once deployed, each system becomes a GRR client and they can start receiving messages from the frontend servers. Each message tells the client to run a specific client action and return the results. A client action is simply some well known code the agent knows how to execute (such as obtaining the list of files in a directory or reading a buffer from a file).

These actions are invoked server-side through what we call flows. A flow is a piece of server-side code that asks the GRR system to schedule remote calls to a client and has some additional logic to decide what to do based on the call results.

This flow is running on a client because a user initiated it. To do so, he probably used the web-based Graphical User Interface (GUI), which allows a GRR user to start flows for clients and review the results. Or he could also have used the text-based console to do the same.

Any flow that can be run on a single machine can also be run as a Hunt. A hunt allows running a flow on all, or any subset of machines talking to the GRR server.

Client Features

  • Cross-platform support for Linux, OS X and Windows clients.
  • Live remote memory analysis using open source memory drivers for Linux, OS X and Windows via the Rekall memory analysis framework.
  • Powerful search and download capabilities for files and the Windows registry.
  • Secure communication infrastructure designed for Internet deployment.
  • Client automatic update support.
  • Detailed monitoring of client CPU, memory, IO usage and self-imposed limits.

Server Features

  • Fully fledged response capabilities handling most incident response and forensics tasks.
  • OS-level and raw file system access, using the SleuthKit (TSK).
  • Enterprise hunting (searching across a fleet of machines) support.
  • Fully scalable back-end to handle very large deployments.
  • Automated scheduling for recurring tasks.
  • Fast and simple collection of hundreds of digital forensic artifacts.
  • Asynchronous design allows future task scheduling for clients, designed to work with a large fleet of laptops.
  • AngularJS Web UI and RESTful JSON API.
  • Fully scriptable IPython console access.
  • Basic system timelining features.
  • Basic reporting infrastructure.

You can download GRR here:

1. Run the Docker image, info here: https://github.com/google/grr-doc/blob/master/docker.adoc
2. Install fresh on a Linux system, needs 1GB RAM (AWS free instance isn’t powerful enough):

Or read more here.

Posted in: Countermeasures, Forensics, Security Software

, ,


Latest Posts:


StaCoAn - Mobile App Static Analysis Tool StaCoAn – Mobile App Static Analysis Tool
StaCoAn is a cross-platform tool which aids developers, bug bounty hunters and ethical hackers performing mobile app static analysis on the code of the application for both native Android and iOS applications.
snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.


Comments are closed.