Difference between pages "NetFSE" and "Regimented Potential Incident Examination Report"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
 +
{{Expand}}
 +
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = Net/FSE |
+
   name = RAPIER |
   maintainer = [[Ben Uphoff]] |
+
   maintainer = Rapier project |
   os = {{Linux}} |
+
   os = {{Windows}} |
 
   genre = {{Incident response}} |
 
   genre = {{Incident response}} |
   license = {{GPL}} |
+
   license = {{LGPL}} |
   website = [https://code.google.com/p/netfse/ code.google.com/p/netfse/] |
+
   website = [https://code.google.com/p/rapier/ code.google.com/p/rapier/] |
 
}}
 
}}
  
= Net/FSE: Network Forensic Search Engine =
+
== Description ==
Net/FSE is a server application for network operations. The system consists of a data capture, indexing and search services optimized for processing high-volume IP-based network log data. Log data from firewalls, intrusion detection systems, routers and other network devices is streamed to Net/FSE in near real time, providing network professionals on enterprise networks with fast drill down and analysis of billions of log records.
+
The Regimented Potential Incident Examination Report ('''RPIER''' or '''RAPIER''') is script based [[Incident Response|incident response]] tool released under the [[:Category:GPL|GPL]] by [[Intel]]. It is a modular framework.
 +
 
 +
RAPIER is a [[Windows]] NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.
 +
 
 +
Contact: rapier.securitytool@gmail.com
 +
 
 +
== Features ==
 +
 
 +
* Modular Design - all information acquired is through individual modules
 +
* Fully configurable GUI
 +
* [[SHA1]] verification checksums
 +
* Auto-update functionality
 +
* Results can be auto-zipped 
 +
* Auto-uploaded to central repository
 +
* Email Notification when results are received
 +
* 2 Default Scan Modes – Fast/Slow
 +
* Separated output for faster analysis
 +
* Pre/Post run changes report
 +
* Configuration File approach
 +
* Process priority throttling
  
A web interface built on top of Tomcat and GWT is integrated into the codebase. The UI is designed to be an easy to use workflow tool for network operations including security, compliance, troubleshooting and management. Socket-based APIs and HTTP-based XML APIs make integrating search of network log data fast and easy.
+
=== Information Acquired through RAPIER ===
  
The system is also moving towards a plugin architecture which will allow users to build custom data processing engines to meet individual needs. The core system handles capture and storage, as well as search/query functionality, allowing plugins to easily leverage the system's capabilities with minimal coding.
+
* Complete list of running processes
 +
* Locations of those processes on disk
 +
* Ports those processes are using
 +
* Checksums for all running processes
 +
* Memory dumps for all running processes
 +
* All DLLS currently loaded and their checksum
 +
* Last Modify/Access/Create times ([[MAC times]]) for designated areas
 +
* All files that are currently open
 +
* Net (start/share/user/file/session)
 +
* Output from nbtstat and [[netstat]]
 +
* All open shares/exports on system
 +
* Current routing tables
 +
* List of all network connections
 +
* Layer3 traffic samples
 +
* Logged in users
 +
* System Startup Commands
 +
* [[MAC address]]
 +
* List of installed services
 +
* Local account and policy information
 +
* Current patches installed on system
 +
* Current AV versions
 +
* Files with alternate data streams (ADS)
 +
* Files marked as hidden
 +
* List of all installed software on system (known to registry)
 +
* System logs
 +
* AV logs
 +
* Copies of application caches (temporary internet files) – [[Internet Explorer|IE]], [[Mozilla Firefox|FF]], [[Opera]]
 +
* Export entire registry
 +
* Search/retrieve files based on search criteria.
  
= Project Status =
+
== See Also ==
  
In June 2009 version 0.2 of the open source Net/FSE was released at [http://www.netfse.org NetFSE.org]. The 0.3 release is in the works and will be available in August 2010. NetFSE.org is the user community and information center for Net/FSE users.
+
[[List of Script Based Incident Response Tools]]
  
 
== External Links ==
 
== External Links ==
* [https://code.google.com/p/netfse/ Project site]
 
  
[[Category:Network Forensics]]
+
* [http://code.google.com/p/rapier/ Official website]
 +
* [http://groups.google.com/group/rapier-development?hl=en Google Discussion Group]
 +
* [http://www.first.org/conference/2006/program/rapier_-_a_1st_responders_info_collection_tool.html Presentation at FIRST Conference 2006]

Latest revision as of 05:52, 18 January 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

RAPIER
Maintainer: Rapier project
OS: Windows
Genre: Incident Response
License: LGPL
Website: code.google.com/p/rapier/

Description

The Regimented Potential Incident Examination Report (RPIER or RAPIER) is script based incident response tool released under the GPL by Intel. It is a modular framework.

RAPIER is a Windows NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.

Contact: rapier.securitytool@gmail.com

Features

  • Modular Design - all information acquired is through individual modules
  • Fully configurable GUI
  • SHA1 verification checksums
  • Auto-update functionality
  • Results can be auto-zipped
  • Auto-uploaded to central repository
  • Email Notification when results are received
  • 2 Default Scan Modes – Fast/Slow
  • Separated output for faster analysis
  • Pre/Post run changes report
  • Configuration File approach
  • Process priority throttling

Information Acquired through RAPIER

  • Complete list of running processes
  • Locations of those processes on disk
  • Ports those processes are using
  • Checksums for all running processes
  • Memory dumps for all running processes
  • All DLLS currently loaded and their checksum
  • Last Modify/Access/Create times (MAC times) for designated areas
  • All files that are currently open
  • Net (start/share/user/file/session)
  • Output from nbtstat and netstat
  • All open shares/exports on system
  • Current routing tables
  • List of all network connections
  • Layer3 traffic samples
  • Logged in users
  • System Startup Commands
  • MAC address
  • List of installed services
  • Local account and policy information
  • Current patches installed on system
  • Current AV versions
  • Files with alternate data streams (ADS)
  • Files marked as hidden
  • List of all installed software on system (known to registry)
  • System logs
  • AV logs
  • Copies of application caches (temporary internet files) – IE, FF, Opera
  • Export entire registry
  • Search/retrieve files based on search criteria.

See Also

List of Script Based Incident Response Tools

External Links