Digital Forensics and Incident Response in The Cloud
0 likes•134 views
The document discusses digital forensics tools, specifically GRR (an incident response tool developed by Google) and Velociraptor (an evolving project aimed at improving GRR). It highlights the strengths and weaknesses of both tools, including GRR's collaborative artifact specification but intensive database requirements, and Velociraptor's greater flexibility and easier deployment. Additionally, it touches on osquery, a tool that allows SQL-like queries on host operating systems, and vql, a plugin-based extension for enhanced querying capabilities.
Digital Forensics and Incident Response in The Cloud
- 1. Digital Forensics and Incident Response in the Cloud Dr. Michael Cohen Velocidex Innovations. https://www.velocidex.com/
- 2. Part 3: GRR and Velociraptor
- 3. ✘ Incident response tool developed by Google ✘ Agent based ✘ Written in Python ✘ Opensource ✘ Used internally by Google - battle tested ✗ Although not in quite the same configuration as open source. What is GRR?
- 4. Main GRR architecture Frontend Client Worker MySQL DB Admin UI Encrypted over HTTP
- 5. GRR Strengths ✘ Artifacts - a collaborative way of specifying and sharing forensic artifacts ✘ Very easy to install ✘ Ability to do a “hunt” - collect the same data across every node ✗ Can group hunts by label. ✘ Very good and intuitive UI ✗ This also has an external API surface.
- 6. GRR - Weaknesses ✘ Very intensive on DB ✗ Lots of traffic between components ✗ No clear data expiration path (policy is to collect everything on all clients forever). ✘ Large files are stored in DB ✘ Building clients is hard due to Python. ✗ The GRR team has done lots of great work on making this slightly easier but it’s hard to modify the client. ✗ GRR client is inflexible but can run arbitrary code.
- 7. What is Velociraptor ✘ Still an immature project! ✘ The aim is to improve and build on GRR ✗ Client written in GO: ■ Makes it easier to deploy, package and rebuild. ✗ Supports VQL as the main mode of operation ■ Easier to adapt to changing requirements. ■ Very flexible. ✘ Open source, supported by Velocidex Innovations.
- 8. What is OSQuery? ✘ A flexible tool that makes your OS look like a database ✘ Use SQL SELECT queries to query the host OS
- 9. OSQuery ✘ Very flexible ✗ Can join 2 or more tables to make really powerful queries. "logged_in_users": { "query" : "select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;", "interval" : "3600", "platform": "posix", "version" : "1.4.5", "description" : "Retrieves the list of all the currently logged in users in the target system.", "value" : "Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise."
- 10. What is VQL? ✘ An extension of SQL based on EFilter: ✗ Instead of tables, provides plugins which can take arguments. ✗ Has a more natural progression of joining outputs into input of plugins. Subselect result is presented as a plugin arg
- 13. THANKS! Any questions? You can find me at ✘ [email protected] ✘ https://www.velocidex.com