GRR Rapid Response
GRR Rapid Resonse GRR Rapid Response is an incident response framework focused on remote live forensics.
Architecture
- GRR Server - A web-based graphical interface is provided that allows the analyst to schedule actions with the client(s). There are several components that make up the server:
- frontends
- workers
- UI
- GRR Client - The system where the investigation needs to take place these systems can be Windows, MacOS or Linux.
Installation
Server Setup
You need to have MySQL server configured and running.
Info
sudo apt-get update sudo apt-get install mysql-server mysql_secure_installation
mysql_secure_installation
systemctl status mysql.service
wget https://storage.googleapis.com/releases.grr-response.com/grr-server_3.2.1-1_amd64.deb sudo apt install -y ./grr-server_3.2.1-1_amd64.deb
In addition, administrative commands for GRR, e.g grr_console and grr_config_updater should be available in your PATH.
Client Setup
MacOS/Linux
The installation process is the same for Linux and MacOS. The installers can be found in the Admin UI. On the left hand side of the screen there is a "Manage Libraries" section, here you will find the installers for Windows, Linux, and MacOS.
Stopping the service on MacOS can be done with the following command:
sudo launchctl unload /Library/LaunchDaemons/com.google.corp.grr.plist