Google (GRR) Rapid Response - Incident Response Framework
GRR consists of an agent (client) that can be deployed to a target system, and server infrastructure that can manage and talk to the agent.
Client Features:
Client Features:
- Cross-platform support for Linux, Mac OS X and Windows clients.
- Live remote memory analysis using open source memory drivers for Linux, Mac OS X and Windows, and the Rekall memory analysis framework.
- Powerful search and download capabilities for files and the Windows registry.
- Secure communication infrastructure designed for Internet deployment.
- Client automatic update support.
- Detailed monitoring of client CPU, memory, IO usage and self-imposed limits.
- Fully fledged response capabilities handling most incident response and forensics tasks.
- OS-level and raw file system access, using the SleuthKit (TSK).
- Enterprise hunting (searching across a fleet of machines) support.
- Fully scalable back-end to handle very large deployments.
- Automated scheduling for recurring tasks.
- Fast and simple collection of hundreds of digital forensic artifacts.
- Asynchronous design allows future task scheduling for clients, designed to work with a large fleet of laptops.
- Ajax Web UI.
- Fully scriptable IPython console access.
- Basic system timelining features.
- Basic reporting infrastructure.
Requirements
- A linux box. At the moment the full install is thoroughly tested end to end on Ubuntu Server 14.04 64-bit [1]. It works on other things fine [2], but that is what it’s tested on.
- Recommend > 1GB Ram and a modern CPU if you want to run everything on one box (note that free Amazon EC2 instances don’t have enough RAM).
- Some clients to talk to the server. OSX, Windows and Linux agents are supported.
Making it Go
Download the installation script e.g. using wget:
wget https://raw.githubusercontent.com/google/grr/master/scripts/install_script_ubuntu.sh
Articles
0 commentaires :
Enregistrer un commentaire