SBM Labs

Cyber Security Collaboration Project

Google Rapid Response. Introduction.
23 Nov 2017

How do you collect evidences during security incident investigation? Where do you store it? Who has access to it?

I am going to make a short overview of one useful forensic framework. Get acquainted - Google Rapid Response.

1. Installation.

First of all we need to install GRR Server.

$ sudo apt install -y debhelper dpkg-dev python-dev python-pip rpm zip
$ wget https://storage.googleapis.com/releases.grr-response.com/grr-server_3.2.0-1_amd64.deb
$ sudo dpkg -i grr-server_3.2.0-1_amd64.deb

After installation has been completed you can access Admin UI and download clients. The default GRR port is 8000/TCP.

Remember if you change some configuration settings that are used by GRR clients you should repack it. For example, configuration of Frontend.bind_port.

$ sudo grr_config_updater repack_clients

2. Usage.

After agents are connected to your server you can run different flows in order to collect evidences. By default GRR clients use port 8080/TCP.

Linux Agent.

Host information.

Filesystem information.

Network information.

Processes information.

Windows Agent.

Host Information.

Filesystem and Registry information.

Network information.

Processes information.

It's cool, isn't it?