Google Rapid Response. Introduction.
23 Nov 2017
How do you collect evidences during security incident investigation? Where do you store it? Who has access to it?
I am going to make a short overview of one useful forensic framework. Get acquainted - Google Rapid Response.
First of all we need to install GRR Server.
$ sudo apt install -y debhelper dpkg-dev python-dev python-pip rpm zip
$ wget https://storage.googleapis.com/releases.grr-response.com/grr-server_3.2.0-1_amd64.deb
$ sudo dpkg -i grr-server_3.2.0-1_amd64.deb
After installation has been completed you can access Admin UI and download clients. The default GRR port is 8000/TCP.
Remember if you change some configuration settings that are used by GRR clients you should repack it. For example, configuration of Frontend.bind_port.
$ sudo grr_config_updater repack_clients
After agents are connected to your server you can run different flows in order to collect evidences. By default GRR clients use port 8080/TCP.
Filesystem and Registry information.
It's cool, isn't it?