![\"Google](\"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2016\/04\/Screenshot-from-2013-11-18-18-36-46-640x440.png\")
<\/p>\nGRR Rapid Response is an incident response framework focused on remote live forensics. It based on client server architecture, so there’s an agent which is installed on target systems and a Python server infrastructure that can manage and communicate with the agents.<\/p>\n
<\/p>\n
There are agents for Windows, Linux and Mac OS X environments.<\/p>\n
To function, an agent is deployed on systems that one might want to investigate. Once deployed, each system becomes a GRR client and they can start receiving messages from the frontend servers. Each message tells the client to run a specific client action and return the results. A client action is simply some well known code the agent knows how to execute (such as obtaining the list of files in a directory or reading a buffer from a file).<\/p>\n
These actions are invoked server-side through what we call flows. A flow is a piece of server-side code that asks the GRR system to schedule remote calls to a client and has some additional logic to decide what to do based on the call results.<\/p>\n
This flow is running on a client because a user initiated it. To do so, he probably used the web-based Graphical User Interface (GUI), which allows a GRR user to start flows for clients and review the results. Or he could also have used the text-based console to do the same.<\/p>\n
Any flow that can be run on a single machine can also be run as a Hunt. A hunt allows running a flow on all, or any subset of machines talking to the GRR server.<\/p>\n
You can download GRR here:<\/p>\n
1. Run the Docker image, info here: https:\/\/github.com\/google\/grr-doc\/blob\/master\/docker.adoc<\/a>
\n2. Install fresh on a Linux system, needs 1GB RAM (AWS free instance isn’t powerful enough):<\/p>\nwget https:\/\/raw.githubusercontent.com\/google\/grr\/master\/scripts\/install_script_ubuntu.sh\r\nsudo bash install_script_ubuntu.sh<\/pre>\n