{"id":4004,"date":"2016-04-26T02:54:58","date_gmt":"2016-04-25T18:54:58","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4004"},"modified":"2016-04-26T02:56:16","modified_gmt":"2016-04-25T18:56:16","slug":"google-rapid-response-grr-remote-live-forensics-for-incident-response","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2016\/04\/google-rapid-response-grr-remote-live-forensics-for-incident-response\/","title":{"rendered":"Google Rapid Response (GRR ) – Remote Live Forensics For Incident Response"},"content":{"rendered":"
GRR Rapid Response is an incident response framework focused on remote live forensics. It based on client server architecture, so there’s an agent which is installed on target systems and a Python server infrastructure that can manage and communicate with the agents.<\/p>\n
<\/p>\n
There are agents for Windows, Linux and Mac OS X environments.<\/p>\n
To function, an agent is deployed on systems that one might want to investigate. Once deployed, each system becomes a GRR client and they can start receiving messages from the frontend servers. Each message tells the client to run a specific client action and return the results. A client action is simply some well known code the agent knows how to execute (such as obtaining the list of files in a directory or reading a buffer from a file).<\/p>\n
These actions are invoked server-side through what we call flows. A flow is a piece of server-side code that asks the GRR system to schedule remote calls to a client and has some additional logic to decide what to do based on the call results.<\/p>\n
This flow is running on a client because a user initiated it. To do so, he probably used the web-based Graphical User Interface (GUI), which allows a GRR user to start flows for clients and review the results. Or he could also have used the text-based console to do the same.<\/p>\n
Any flow that can be run on a single machine can also be run as a Hunt. A hunt allows running a flow on all, or any subset of machines talking to the GRR server.<\/p>\n
You can download GRR here:<\/p>\n
1. Run the Docker image, info here: https:\/\/github.com\/google\/grr-doc\/blob\/master\/docker.adoc<\/a>
\n2. Install fresh on a Linux system, needs 1GB RAM (AWS free instance isn’t powerful enough):<\/p>\nwget https:\/\/raw.githubusercontent.com\/google\/grr\/master\/scripts\/install_script_ubuntu.sh\r\nsudo bash install_script_ubuntu.sh<\/pre>\n