Google (GRR) Rapid Response – Incident Response Framework

GRR consists of an agent (client) that can be deployed to a target system, and
server infrastructure that can manage and talk to the agent.

Client Features:

  • Cross-platform support for Linux, Mac OS X and Windows clients.
  • Live remote memory analysis using open source memory drivers for Linux, Mac
    OS X and Windows, and the Rekall memory
    analysis framework.
  • Powerful search and download capabilities for files and the Windows registry.
  • Secure communication infrastructure designed for Internet deployment.
  • Client automatic update support.
  • Detailed monitoring of client CPU, memory, IO usage and self-imposed

Server Features:

  • Fully fledged response capabilities handling most incident response and
    forensics tasks.
  • OS-level and raw file system access, using the SleuthKit (TSK).
  • Enterprise hunting (searching across a fleet of machines) support.
  • Fully scalable back-end to handle very large deployments.
  • Automated scheduling for recurring tasks.
  • Fast and simple collection of hundreds of digital forensic artifacts.
  • Asynchronous design allows future task scheduling for clients, designed to
    work with a large fleet of laptops.
  • Ajax Web UI.
  • Fully scriptable IPython console access.
  • Basic system timelining features.
  • Basic reporting infrastructure.



  • A linux box. At the moment the full install is thoroughly tested end to end on Ubuntu Server 14.04 64-bit [1]. It works on other things fine [2], but that is what it’s tested on.

  • Recommend > 1GB Ram and a modern CPU if you want to run everything on one box
    (note that free Amazon EC2 instances don’t have enough RAM).

  • Some clients to talk to the server. OSX, Windows and Linux agents are

Making it Go

Download the installation script e.g. using wget:

wget https://raw.githubusercontent.com/google/grr/master/scripts/install_script_ubuntu.sh

Run the installation script:

sudo bash install_script_ubuntu.sh

Read more at:

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

What Makes ICS/OT Infrastructure Vulnerable?

Infrastructure security for operational technologies (OT) and industrial control systems (ICS) varies from IT security in several ways, with the inverse confidentiality, integrity, and...

Everything You Must Know About IT/OT Convergence

What is an Operational Technology (OT)? Operational technology (OT) is a technology that primarily monitors and controls physical operations. It can automate and control machines,...

Understand the OT Security and Its Importance

This article discusses OT security and why it is essential for protecting industrial systems from cyberattacks. We will also discuss common control objectives that can...

What is Deepfake, and how does it Affect Cybersecurity?

Producing deepfake is easy. It is hard to detect. They operate with a description of reality rather than reality itself (e.g., a video). Any...