GRR Rapid Response: remote live forensics for incident response
People
Repo info
Activity
Hilko Bengen
@hillu
I always assumed that using HTTP + the GRR-specific protocol instead of HTTPS for client/server communication was about avoiding trouble with middle-boxes that MITM TLS connections. (Was that not the main design choice there?) Why are you switching away from that model for fleetspeak?
Keith Tyler
@keithtyler
With ~30K the mysql backend doesn't seem to work for enterprise hunts, are you planning on making this a bit more scalable?
Hilko Bengen
@hillu
will there be a tool for migrating the existing data to the new DS?
Keith Tyler
@keithtyler
memory imaging is pretty useful, any possibility of keeping in that functionality ?
Hilko Bengen
@hillu
keeping rekall around would probably need somebody who wants to take care of it.
(somebody outside Google?)
(Is Michael Cohen no longer working on Rekall?)
or on pmem for that matter?
thank you, that was the information I was looking for.
briareosiso
@briareosiso
Hey all, i have a question for the authentication with GRR
can i use LDAP ?
Hilko Bengen
@hillu
not out of the box. You'd have to add your own webauth manager. See "Authentication to the Admin UI" in the documentation.
Installed grr properly in windows system, but how to run?
GalacticMaster
@GalacticMaster
Hey , I am using client API to capture last_seen_at, but it is giving me 16 digit number
API doc shows it is RDFdatetime data type
how to convert it to normal date time ?
Flipthemouse
@flipthemouse_twitter
Hi folks. I need your help. How can I get the memory with AnalyzeClientMemory and Memory Collector on the GRR Server?Saw it in several videos but missing some component I think. As well is there a way to enable or get "volatility" running on the GRR server ? Many thanks
Andreas Moser
@grrrrrrrrr
what is the actual issue you see? In order to make Rekall (so AnalyzeClientMemory and MemoryCollector) work, you need to enable it during installation or with the config_updater. Note that Rekall is not supported in GRR at this time
jayboyY1
@jayboyY1
file:///storage/emulated/0/Download/images.jpeg
Braz
@b2az
Hi Guys, is here somebody who deployed grr agents on > 100k clients?
Sanh Phan Van
@SanhPhanVan1_twitter
hi everyone, I had just installed grr on Centos 7 by using PIP packages, but where is grr_client_build ?
mbushkov
@mbushkov
@SanhPhanVan1_twitter , you need to install grr-response-client package in order to have grr_client_build.
@SanhPhanVan1_twitter , you're right. Thing is - you don't need to grr-response-client and grr_client_build unless you want to build GRR clients yourself. GRR is shipped with a few prebuilt client templates that are downloaded when you run "grr_config_updater initialize". I guess we should update the docs and mention, that you need grr-response-client if your also need to build clients from scratch.
Sanh Phan Van
@SanhPhanVan1_twitter
thank you so much @mbushkov
I wanna use Recall for remoting memory forensics, however Recall is disabled on my configuration
Sanh Phan Van
@SanhPhanVan1_twitter
How can I enable it? There are not much resources about GRR.
Sanh Phan Van
@SanhPhanVan1_twitter
what is the actual issue you see? In order to make Rekall (so AnalyzeClientMemory and MemoryCollector) work, you need to enable it during installation or with the config_updater. Note that Rekall is not supported in GRR at this time
@grrrrrrrrr How to "enable it during installation or with the config_updater" ?
Andreas Moser
@grrrrrrrrr
have you gone through the installation process? It will ask you a few questions at some point, one is about Rekall.