Someone experience ...
Clear all

Someone experience with GRR from Google?

4 Posts
3 Users
Posts: 53
Trusted Member
Topic starter

I struggled this days about GRR. Has someone tried it? Looks like it scales up in big environments and can interact with Sleuthkit/ Autopsy.


Guidance has more capabilities with their enterprise/ Cybersecurity suite but interesting to know what is possible with open source.

Posted : 27/04/2014 12:32 pm
Posts: 3
New Member

I am using it currently for providing IR. Works well in a pinch, but you have to be gentle with it. It does use TSK in the background. My gripe is that the timeline analysis does not work well on it yet. May be as the product matures, it will improve.


Posted : 19/05/2014 5:50 am
Posts: 53
Trusted Member
Topic starter

Just installed 0.2.10-1 on server side (Ubuntu 14.04 lts). Installation runs without any problem. Now I need to setup some test clients to play with them which needs some more time.
Autopsy/ Sleuthkit is no problem/ limitation on my side as I use it actually. It looks like that Autopsy 3.1.x will show some big improvements.
For Timeline I use plaso/ 4n6time which is currently much better than the basic timeline function in Autopsy 3.0.10. But looking forward to see the new Autopsy 3.1.x this year.

But what's your experience to use it for reporting?
Have you established a 4 eye workflow/ legal sign off to access data on the client?

I had an anti forensics case in house right now which shows the need of some kind of remote agent usage to collect evidence which is not stored in logs/ registry. RAM analysis is the goal to fight back.

Posted : 25/06/2014 2:24 am
Posts: 4
New Member

I am interested in this too. I work with moderately large distributed environments, and good ol F-Response and EE still require substantial IO back to the examiner. Over a VPN or WAN it falls flat as far as scale out.

A "smart" agent that could push processing to the remote node would really help in certain circumstances… E.g. is this file / artifact present on these x hundred nodes…

I guess this is the space of the Mandiant MIR and Bit9/Carbon Black on the commercial side.

Posted : 21/07/2014 8:06 pm
Share to...