What is GRR?
This incident response framework is an open source tool used for live forensics. It is a Client/server model tool where the GRR client is deployed on the investigating system. The GRR server provides a web interface and API to view collected data. It offers cross-platform support over Linux, Windows and OSX and has hundreds of forensic artifacts.
As this tool isn’t for beginners, you need to be familiar with UI servers, fleetspeak, and different forensic frameworks. Additionally, you should be familiar with Python server troubleshooting . Installation instructions for the server component can be found here. Upon successful installation of the server you will be able to login to the Admin UI and download the proper installer for the system you are investigating.
GRR Client Features
Some of the main features for the GRR Client component includes live analysis using YARA library, SleuthKit incorporated into the client and search capabilities inside Windows Registry. You can run the client on Windows, Linux and OS X and it can monitor CPU and memory usage from the server components.
The client offers a secure communication infrastructure built for internet deployment. This means you can use a tool like InfectionMonkey to deploy the GRR Client over a network connection. The SleuthKit module allows for raw filesystem access as well. The client and server work together to perform fast and simple collection of artifacts.
GRR Server Features
The server component offers enterprise hunting with fleetspeak, powerful export features and has a full scale back-end that allows large deployments. It has a AngularJS UI, client libraries in Python, Powershell and Go. The RESTful JSON API and plugins make this tool a very capable incident response and forensic investigation tool. It has automated scheduling and can work with a large fleet of laptop/desktops. Furthermore, it can monitor IoT devices. The server component only supports 64-bit Ubuntu 18.04+.
Conclusion
This is a great tool with many use applications. There is a basic use case Docker image on the GRR Documentation page where you can test it out. The program works with a little tweaking on Ubuntu on WSL and wow. This tool is going 3/5 in my book. Great work by Google on this one.
Want to learn more about ethical hacking?
We have a networking hacking course that is of a similar level to OSCP, get an exclusive discount here
Help support LHN by buying a T-shirt or a mug?
Check out our selection here
Do you know of another GitHub related hacking tool?
Get in touch with us via the contact form if you would like us to look at any other GitHub ethical hacking tools.