GRR Rapid Response: remote live forensics for incident response
Python Protocol Buffer C++ HTML JavaScript Shell Other
Latest commit 90aa696 Jan 10, 2017 @destijl destijl Filestore refactor.
- Simplify file upload to filestore
- Migrate more stats reports to angular

GRR Rapid Response is an incident response framework focused on remote live forensics.

Build Status Build status

GRR is a python agent (client) that is installed on target systems, and python server infrastructure that can manage and talk to the agent.

Client Features:

  • Cross-platform support for Linux, OS X and Windows clients.
  • Live remote memory analysis using open source memory drivers for Linux, OS X and Windows via the Rekall memory analysis framework.
  • Powerful search and download capabilities for files and the Windows registry.
  • Secure communication infrastructure designed for Internet deployment.
  • Client automatic update support.
  • Detailed monitoring of client CPU, memory, IO usage and self-imposed limits.

Server Features:

  • Fully fledged response capabilities handling most incident response and forensics tasks.
  • OS-level and raw file system access, using the SleuthKit (TSK).
  • Enterprise hunting (searching across a fleet of machines) support.
  • Fully scalable back-end to handle very large deployments.
  • Automated scheduling for recurring tasks.
  • Fast and simple collection of hundreds of digital forensic artifacts.
  • Asynchronous design allows future task scheduling for clients, designed to work with a large fleet of laptops.
  • AngularJS Web UI and RESTful JSON API.
  • Fully scriptable IPython console access.
  • Basic system timelining features.
  • Basic reporting infrastructure.

See quickstart to start using it.

Contact Us

Mailing lists:

Follow us on twitter for announcements of GRR user meetups. We use a gitter chat room during meetups.