Monday, August 14, 2017

Rekall Agent Alpha launch


DFRWS 2017 Release - Code named Hurricane Ridge

Last week at DFRWS 2017, we were proud to launch Rekall 1.7.0RC1 with the first alpha release of the Rekall Agent. The Rekall Agent is a distributed end point monitoring solution based on the Google Cloud Platform. The launch also includes a white paper and a demo site hosted at https://dfrws2017-rekall.appspot.com.

Apart from its scalability, enterprise grade access control and auditing, the Rekall Agent brings the capabilities of both Rekall's EFilter query language as well as OSQuery's capabilities into a complete distributed endpoint monitoring solution. The overall solution makes it possible to launch a flexible query on many endpoint systems at the same time, and collect their responses quickly and efficiently.

At DFRWS we worked through a hands on workshop where participants installed the Rekall Agent server on their own Google Cloud project, or alternatively we used a shared project for collaborative remote forensic investigations. We then ran through a number of common forensic and incident response scenarios.

The workshop had been so successful that people have requested the project to remain up after the workshop, so they could continue playing with the release.

Rekall Agent demo site

We have decided therefore to leave the site up as a demo site.  This means anyone from the internet can request administrator rights for the application and quickly see how it works.
Simply navigate to https://dfrws2017-rekall.appspot.com/ and you should see the agreement page. Please note that since this is a shared system (in which anyone is an admin level user), all data can be viewed by anyone else.
By clicking the Make Me Admin button, the application will assign the Administrator and Viewer roles to your username. The Viewer role is needed so you can login and search for clients. The Administrator role allows you to assign any other roles to your username as needed.
Let's start off by searching for clients (For a small installation such as this, simply search for label:All to list all the clients):

Now to view the flows in each client, simply click on the flows column.
Since you do not currently have approval to access this client, the UI will start the approval request workflow. You can request an Examiner (read only) or Investigator (can launch flows) roles on this client. The approver list shows all users with approver rights. If you do not appear in this list you will need to grant yourself the approver role by clicking the USERS menu then Add:
Once the approval request is sent, you can see it in your inbox at the top right of the screen.

Adding new machines to the demo site

You are welcome to add new agent machines to the Rekall demo site, and use the demo site to run Rekall plugins on them. Note that since this is a shared site and you are effectively granting it root access you should only use disposable machines (e.g. VMs). In fact you should probably run the agent as a non-root user.
First install both the Rekall Agent and Rekall Forensic packages as distributed above
Then copy the sample configuration file:
And replace the location with the demo site:
You should run the agent as non root by hand using the command line (you may need to change the writeback path to somewhere it can write to):
Now you can launch any plugin against your client. For example, to launch an OSQuery query simply select the "osquery plugin" then enter the query:
After waiting for the Agent to pick up the new query, the flow will be marked as Done:
We can view the collection which is the result of the query

Feedback


This is the first Alpha release of Rekall Agent - we put it out there to solicit comments, thoughts and discussions. Please mail us at rekall-discuss@googlegroups.com with any suggestions for further improvements.