Posts

Plaso 20240826 released

  Plaso 20240826 released The Plaso team is delighted to announce a new Plaso release, 20240826. This release has a mixture of new features and under the hood improvements. Notable changes Migrated Docker image to Ubuntu 24.04 with Python 3.12. If you are using Timesketch or Turbinia, work is in progress to migrate to Ubuntu 24.04 and this version of Plaso. Changed year-less log helper into date-less log helper to support date-less log formats ( #4697 ), added a SQLite parser plugin for Android's app_usage database ( #4881 ) and Android turbo.db SQLite parser plugin ( #4880 ) with thanks to @rick-slin Added basic support for Windows 10 push notification SQLite databases ( #4458 ) and Container Runtime Interface log parser ( #4742 ) with thanks to @sydp Read support for SQLite-based storage format 20221023 was removed ( #4849 ). The full list of cleanups, performance tweaks and bug fixes can be found in the release milestone . Upcoming changes in future releases Extend support for W

GRR with GCS Blobstore and Cloud Pub/Sub Service

Image
GRR with GCS Blobstore and Cloud Pub/Sub Service Authored by Dan Aschwanden and Mikhail Bushkov, copied with permission. Introduction In this article we provide a macro-level outline of how GRR Rapid Response (or GRR) can make use of Google Cloud Storage (GCS) Buckets for its blobstore as well as using Cloud Pub/Sub to communicate with Fleetspeak . Leveraging GCS Buckets and Cloud Pub/Sub could be beneficial if you are looking for means to improve the runtime performance of a large-scale GRR deployment (i.e. with tens of thousands of clients). Both the GCS blobstore and Cloud Pub/Sub significantly reduce the utilization of the main GRR datastore and the amount of message processing. Figure 1 - GRR architecture with GCS Blobstore and Cloud Pub/Sub We will also cover the topic of Google Kubernetes Engine (GKE) Workload Identity Federation which provides Kubernetes workloads with access to Google Cloud resources by using Identity and Access Management (IAM) federated identities ins