Perancangan Aplikasi untuk Remote Live Forensics menggunakan GRR Rapid Response

Arif Wahyudi (1252 31 33)

Agenda➔ Pengantar GRR

Apa, siapa, kapan, mengapa, bagaimana, dimana ?

➔ Installasi GRRFast Installation With Script or Docker Infrastructure

➔ Deploy & KonfigurasiKonfigurasi GRR Server & Konfigurasi Agent.

➔ Pembuatan Artifact Simple Artifact Chrome, Safari, Firefox, IE

➔ Pengujian Keaslian File Verifikasi Hash ( Md5, Sh256, Sh1 )

Abstrak

GRR singkatan dari Google Rapid Response merupakan sebuah

Framework Remote Live Forensics Multi-Platform yang dibangun dan

dideploy oleh Staff IR (Incident Response) Google. Motivasi utama dalam

membangun GRR Rapid Response adalah untuk meningkatkan kesiapan

analisa dan Investigasi, dengan menurunkan biaya Investigasi serta

meningkatkan kualitas bukti digital yang diperoleh, dengan fitur utama yaitu

melakukan pengumpulan Informasi terhadap sistem Agent yang akan dianalisa

melalui perantara remote, serta memiliki fitur detail monitoring dari CPU

Client (Agent), Memori, Penggunaan I/O dan lain – lain.

“SANS” “a combination of description, location, and interpretation”

More Info

https://github.com/google/grr

https://digital-forensics.sans.org/blog/2012/10/06/digital-

forensics-case-leads-open-source-forensics-edition

GRR RAPID RESPONSE

INVESTIGATOR :

192.168.119.5 /24

USER 1 : 192.168.119.6

USER 2 : 192.168.119.7

USER 3 : 192.168.119.8

USER 4 : 192.168.119.9

USER 5 : 192.168.119.10

USER 6 : 192.168.119.11

Installation Server

Requirements

linux box with Ubuntu

Xenial Server 64-bit.

Recommend > 1GB Ram

Follow these instructions

for an automated install

on an Ubuntu system..

wgethttps://raw.githubusercontent.com/google/grr/master/scripts/install_script_ubuntu.sh

sudo bash install_script_ubuntu.sh

Sudo systemctl restart grr-server

Client.server_urls : http:192.168.119.128:8000

Repack New Clients

Requirements

linux box with Ubuntu

Xenial Server 64-bit.

Recommend > 1GB Ram

Follow these instructions

for an automated install

on an Ubuntu system..

The last step is to repack the client as you change the HTTP server ip

in the config file and upload them to datastore

sudo grr_config_updater repack_clients --upload

sudo grr_config_updater repack_clients

Installation ClientsManage Binaries → executables → Windows → installers. Download the client you need.

For Windows you will see a 32 and 64 bit installer. Run the installer as admin (it should load the UAC prompt if you are not admin). It should run silently and install the client to c:\windows\system32\grr\%version%\. It will also install a Windows Service, start it, and configure the registry keys to make it talk to the URL/server you specified during repack of the clients on the server.

For OSX you will see a pkg file, install the pkg

For Linux you will see a deb and rpms, install the appropriate one..

Requirements

linux box with Ubuntu

Xenial Server 64-bit.

Recommend > 1GB Ram

Follow these instructions

for an automated install

on an Ubuntu system..

#3ARTIFACT MANAGER

DEMO

#4HUNTING PROCESS

DEMO

#5HASH FILE

DEMO

MORE INFO GRR https://github.com/google/grr

Mailing List :grr-dev@googlegroups.com

My Contactmail.arifwahyudi@gmail.com

More Info

https://github.com/google/grr