Difference between pages "Regimented Potential Incident Examination Report" and "Incident Response"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(Script Based Tools)
 
Line 1: Line 1:
 
{{Expand}}
 
{{Expand}}
  
{{Infobox_Software |
+
Incident Response is a set of procedures for an investigator to examine a computer security incident. This process involves figuring out what was happened and preserving information related to those events. Because of the fluid nature of computer investigations, incident response is more of an art than a science.  
  name = RAPIER |
+
  maintainer = Rapier project |
+
  os = {{Windows}} |
+
  genre = {{Incident response}} |
+
  license = {{LGPL}} |
+
  website = [https://code.google.com/p/rapier/ code.google.com/p/rapier/] |
+
}}
+
  
== Description ==
+
== Tools ==
The Regimented Potential Incident Examination Report ('''RPIER''' or '''RAPIER''') is script based [[Incident Response|incident response]] tool released under the [[:Category:GPL|GPL]] by [[Intel]]. It is a modular framework.
+
  
RAPIER is a [[Windows]] NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.
+
Incident response tools can be grouped into three categories. The first category is '''Individual Tools'''. These are programs designed to probe parts of the operating system and gather useful and/or volatile data. The tools are self-contained, useful, discrete, and do not create a large footprint on the victim system.  
  
Contact: rapier.securitytool@gmail.com
+
Standalone tools have been combined to create '''Script Based Tools'''. These tools combine a number of standalone tools that are run via a script or batch file. They require minimal interaction from the user and gather a fixed set of data. These tools are good in that they automate the incident response process and provide the examiner with a standard process to defend in court. They also do not require the first responder to necessarily be an expert with the individual tools. Their weakness, however, is that they can be inflexible. Once the order of the tools is set, it can be difficult to change. Some script based tools allow the user to pick and choose which standalone tools will be used in a given examination.
  
== Features ==
+
The final category of tools are '''Agent Based Tools'''. These tools require the examiner to install a program on the victim which can then report back to a central server. The upshot is that one examiner can install the program on multiple computers, gather data from all of them, and then view the results in the aggregate. Finding the victim or victims can be easier if they stand out from the crowd.
  
* Modular Design - all information acquired is through individual modules
+
== See Also ==
* Fully configurable GUI
+
* [[List of Standalone Incident Response Tools]]
* [[SHA1]] verification checksums
+
* [[List of Script Based Incident Response Tools]]
* Auto-update functionality
+
* [[:Category:Incident response tools|Incident response tools category]]
* Results can be auto-zipped 
+
* Auto-uploaded to central repository
+
* Email Notification when results are received
+
* 2 Default Scan Modes – Fast/Slow
+
* Separated output for faster analysis
+
* Pre/Post run changes report
+
* Configuration File approach
+
* Process priority throttling
+
  
=== Information Acquired through RAPIER ===
+
== External Links ==
 +
* [http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders], by [[Jesse Kornblum]], DFRWS 2002
 +
* [http://blog.handlerdiaries.com/?p=325 Keeping Focus During an Incident], by jackcr, January 17, 2014
  
* Complete list of running processes
+
== Tools ==
* Locations of those processes on disk
+
=== Individual Tools ===
* Ports those processes are using
+
* [http://technet.microsoft.com/en-us/sysinternals/0e18b180-9b7a-4c49-8120-c47c5a693683.aspx Sysinternals Suite]
* Checksums for all running processes
+
* Memory dumps for all running processes
+
* All DLLS currently loaded and their checksum
+
* Last Modify/Access/Create times ([[MAC times]]) for designated areas
+
* All files that are currently open
+
* Net (start/share/user/file/session)
+
* Output from nbtstat and [[netstat]]
+
* All open shares/exports on system
+
* Current routing tables
+
* List of all network connections
+
* Layer3 traffic samples
+
* Logged in users
+
* System Startup Commands
+
* [[MAC address]]
+
* List of installed services
+
* Local account and policy information
+
* Current patches installed on system
+
* Current AV versions
+
* Files with alternate data streams (ADS)
+
* Files marked as hidden
+
* List of all installed software on system (known to registry)
+
* System logs
+
* AV logs
+
* Copies of application caches (temporary internet files) – [[Internet Explorer|IE]], [[Mozilla Firefox|FF]], [[Opera]]
+
* Export entire registry
+
* Search/retrieve files based on search criteria.
+
  
== See Also ==
+
=== Script Based Tools ===
 +
* [[First Responder's Evidence Disk|First Responder's Evidence Disk (FRED)]]
 +
* [[COFEE|Microsoft COFEE]]
 +
* [[Windows Forensic Toolchest|Windows Forensic Toolchest (WFT)]]
 +
* [[Regimented Potential Incident Examination Report|RAPIER]]
  
[[List of Script Based Incident Response Tools]]
+
=== Agent Based Tools ===
 +
* [[GRR]]
 +
* [[First Response|Mandiant First Response]]
  
== External Links ==
+
== Books ==
 +
There are several books available that discuss incident response. For [[Windows]], ''[http://www.windows-ir.com/ Windows Forensics and Incident Recovery]'' by [[Harlan Carvey]] is an excellent introduction to possible scenarios and how to respond to them.
  
* [http://code.google.com/p/rapier/ Official website]
+
[[Category:Incident Response]]
* [http://groups.google.com/group/rapier-development?hl=en Google Discussion Group]
+
* [http://www.first.org/conference/2006/program/rapier_-_a_1st_responders_info_collection_tool.html Presentation at FIRST Conference 2006]
+

Revision as of 04:58, 18 January 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Incident Response is a set of procedures for an investigator to examine a computer security incident. This process involves figuring out what was happened and preserving information related to those events. Because of the fluid nature of computer investigations, incident response is more of an art than a science.

Contents

Tools

Incident response tools can be grouped into three categories. The first category is Individual Tools. These are programs designed to probe parts of the operating system and gather useful and/or volatile data. The tools are self-contained, useful, discrete, and do not create a large footprint on the victim system.

Standalone tools have been combined to create Script Based Tools. These tools combine a number of standalone tools that are run via a script or batch file. They require minimal interaction from the user and gather a fixed set of data. These tools are good in that they automate the incident response process and provide the examiner with a standard process to defend in court. They also do not require the first responder to necessarily be an expert with the individual tools. Their weakness, however, is that they can be inflexible. Once the order of the tools is set, it can be difficult to change. Some script based tools allow the user to pick and choose which standalone tools will be used in a given examination.

The final category of tools are Agent Based Tools. These tools require the examiner to install a program on the victim which can then report back to a central server. The upshot is that one examiner can install the program on multiple computers, gather data from all of them, and then view the results in the aggregate. Finding the victim or victims can be easier if they stand out from the crowd.

See Also

External Links

Tools

Individual Tools

Script Based Tools

Agent Based Tools

Books

There are several books available that discuss incident response. For Windows, Windows Forensics and Incident Recovery by Harlan Carvey is an excellent introduction to possible scenarios and how to respond to them.