Authors: Jacob Brown (Rochester Institute of Technology) and Yin Pan (Rochester Institute of Technology)
DFRWS USA 2020
Abstract
With the increased number of devices on corporate networks spread across different geographical locations, it is becoming increasingly difficult to monitor them for security threats. Google’s GRR Rapid Response (GRR) project offers a robust remote live forensics framework which excels at gathering data from remote hosts in a scalable and fast way. GRR then utilizes output plugins to ship the gathered data off somewhere else to analyze it. Presently, GRR offers six output plugins: BigQuery, CSV, email, Splunk, SQLite, and YAML. The purpose of this project is to add another output plugin to the GRR codebase so that data can be sent to a remote host using the Graylog Extended Log Format (GELF) protocol. GELF is a log format that aims to overcome the shortcomings of Syslog such as limited message length. Many logging systems support the GELF format, the biggest of which is its creator, Graylog. This project will be focused on using Graylog to further analyze the GRR output. We believe this output plugin is necessary for a few reasons. Firstly, of the supported output plugins, only BigQuery and Splunk are enterprise-ready solutions and they come with a license cost. As Graylog is an open-source project, there is a free version offered. Secondly, if a company is already utilizing a logging system that supports GELF, such as Graylog, a GELF output plugin gives them a very easy way to integrate GRR into that logging system. Finally, by sending data to Graylog, you can take advantage of all the benefits of Elasticsearch such as scalability, speed, and integration with graphing software such as Kibana. In our presentation, we will present the GRR GELF plugin along with real-world scenarios to demonstrate how to utilize GELF to interpret and analyze GRR outputs to assist companies in performing remote live forensics.
Keywords: Remote live forensics, GRR, GELF