GRR Rapid Response is an incident response framework focused on remote live forensics.
The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely.
GRR consists of 2 parts: client and server.
GRR client is deployed on systems that one might want to investigate. On every such system, once deployed, GRR client periodically polls GRR frontend servers for work. “Work” means running a specific action: downloading file, listing a directory, etc.
GRR server infrastructure consists of several components (frontends, workers, UI servers) and provides web-based graphical user interface and an API endpoint that allows analysts to schedule actions on clients and view and process collected data.
Key Features
- Client:
- Live remote memory analysis using YARA library.
- Powerful search and download capabilities for files and the Windows registry.
- OS-level and raw file system access, using the SleuthKit (TSK).
- Secure communication infrastructure designed for Internet deployment.
- Detailed monitoring of client CPU, memory, IO usage and self-imposed limits.
- Cross-platform support for Linux, OS X and Windows clients.
- Server:
- Fully fledged response capabilities handling most incident response and forensics tasks.
- Enterprise hunting (searching across a fleet of machines) support.
- Fast and simple collection of hundreds of digital forensic artifacts.
- AngularJS Web UI and RESTful JSON API with client libraries in Python, PowerShell and Go.
- Powerful data export features supporting variety of formats and output plugins.
- Fully scalable back-end capable of handling large deployments.
- Automated scheduling for recurring tasks.
- Asynchronous design allowing future task scheduling for clients, designed to work with a large fleet of laptops.
Website: github.com/google/grr
Support: Mailing List
Developer: Mikhail Bushkov, Ben Galehouse, Łukasz Hanuszczak, Andreas Moser, Denver Ogaro, Max Vogler
License: Apache License 2.0
GRR is written in Python. Learn Python with our recommended free books and free tutorials.
Related Software
| Digital Forensics Tools | |
|---|---|
| GRR Rapid Response | Remote live forensics for incident response |
| Radare2 | Portable reversing framework |
| The Sleuth Kit | Collection of tools for forensic analysis |
| Autopsy Forensic Browser | Graphical interface to SleuthKit |
| iaito | Official graphical interface for radare2 |
| Volatility | Advanced memory forensics framework |
| guymager | Forensic imaging tool based on Qt |
| dcfldd | Enhanced version of dd for forensics and security |
| rdd | Forensic copy program |
| Jomon | Network forensics and passive sniffer |
| Mozilla InvestiGator | Real-time digital forensics and investigation platform |
Read our verdict in the software roundup.
| Incident Response | |
|---|---|
| GRR | Remote live forensics for incident response |
| GoAlert | On-call scheduling, automated escalations and notifications |
| Alertmanager | Handles alerts sent by client applications such as the Prometheus server |
| Velociraptor | Endpoint visibility and collection tool |
| FIR | Cybersecurity incident management platform |
| Dispatch | Manage security incidents by deeply integrating with existing tools |
| Cabot | Monitoring and alerts service |
| Iris | Automated incident paging system at LinkedIn |
Read our verdict in the software roundup.
 Explore our comprehensive directory of recommended free and open source software. Our carefully curated collection spans every major software category.This directory is part of our ongoing series of informative articles for Linux enthusiasts. It features hundreds of detailed reviews, along with open source alternatives to proprietary solutions from major corporations such as Google, Microsoft, Apple, Adobe, IBM, Cisco, Oracle, and Autodesk. You’ll also find interesting projects to try, hardware coverage, free programming books and tutorials, and much more. Discovered a useful open source Linux program that we haven’t covered yet? Let us know by completing this form. |