GRR Rapid Response Server Build Out
February 21, 2015
Comments: One-in-Six Advocate Prison for CEOs and Board Members After Breaches
March 28, 2015

GRR Live Memory Analysis

I wanted to write a quick follow-up to the last article discussing building out a GRR server. The one functionality that was having issues was live memory analysis and I thought this may have had something to do with the changeover from volatility to rekall. After troubleshooting this for a while and posting to the users group I realized that this was a testing environment issue.

When I was originally testing I was using the default Amazon AWS environment. In the latest wave of testing I was using a private VPC with a subnet that had to connect out via a squid proxy. Michael Cohen explained that “The way this works is that the client asks the server, the server ask the public repository and then caches it in the data store for next time.” This makes perfect sense from several perspectives, but I just didn’t realize this was happening until it didn’t work. Even with the squid proxy I was unable to get this to work automatically and just moved on to manually loading the profiles as Michael explained in this post.

Also, Andy explained in a post early last year that Linux does in fact require a driver to dump memory but it doesn’t come with GRR because it needs to be manually compiled for the exact version of the running kernel. I haven’t taken on this challenge yet either and I’m not sure it will work out at all depending on whether anything related to the drivers is build into the client. I’m hoping not because I’m working with a very large variety of clients and kernels…there is no standard.

As far as the client memory functions working correctly, I’ve mostly been banging on the windows side of things and haven’t had any issues at all. I did a quick pslist and psscan on the OS X side of the house and it didn’t fail out, but didn’t return any results either. I’m thinking this may be related to the version of OS X and whether a profile is available yet…I don’t know and need to dig into when I get some time.

I’ve been really focusing on scalability as I’ve been tinkering with the server for ad-hoc jobs and running 24/7 on a variety of ~50 systems (workstations and servers of all flavors). This will be another post in the near future…

Leave a Reply

Your email address will not be published. Required fields are marked *