GRR Rapid Response

GRR Logo

GRR Rapid Resonse GRR Rapid Response is an incident response framework focused on remote live forensics.

Architecture

  • GRR Server - A web-based graphical interface is provided that allows the analyst to schedule actions with the client(s). There are several components that make up the server:
    • frontends
    • workers
    • UI
  • GRR Client - The system where the investigation needs to take place these systems can be Windows, MacOS or Linux.

Installation

Server Setup

You need to have MySQL server configured and running.

Info

sudo apt-get update sudo apt-get install mysql-server mysql_secure_installation

mysql_secure_installation

systemctl status mysql.service

wget https://storage.googleapis.com/releases.grr-response.com/grr-server_3.2.1-1_amd64.deb sudo apt install -y ./grr-server_3.2.1-1_amd64.deb

In addition, administrative commands for GRR, e.g grr_console and grr_config_updater should be available in your PATH.

Reference Install Docs

Client Setup

MacOS/Linux

The installation process is the same for Linux and MacOS. The installers can be found in the Admin UI. On the left hand side of the screen there is a "Manage Libraries" section, here you will find the installers for Windows, Linux, and MacOS.

Stopping the service on MacOS can be done with the following command:

sudo launchctl unload /Library/LaunchDaemons/com.google.corp.grr.plist