Difference between pages "Regimented Potential Incident Examination Report" and "Using signature headers to determine if an email has been forged"

Revision as of 18:27, 6 May 2007 (view source) Pdxsharkey (Talk | contribs) m		Revision as of 13:01, 29 April 2007 (view source) Jessek (Talk | contribs) (→‎Signed mail: - Quick notes on PGP signed and/or encrypted messages)
Line 1:		Line 1:
	{{Expand}}		{{Expand}}
−	== Description ==
−	The Regimented Potential Incident Examination Report ('''RPIER''' or '''RAPIER''') is script based [[Incident Response|incident response]] tool released under the [[:Category:GPL|GPL]] by [[Intel]]. It is a modular framework.
−	RAPIER is a windows NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.
−	*Contact*: rapier.securitytool@gmail.com	+	== Domain Key Signatures ==
−	== Features ==	+	These headers, included by the mail server, provide a signature of each message. See [[Gmail Header Format]]. The public keys are distributed via [[Domain Name System|DNS]].
−	* Modular Design - all information acquired is through individual modules	+
−	* Fully configurable GUI	+
−	* SHA1 verification checksums	+
−	* Auto-update functionality	+
−	* Results can be auto-zipped	+
−	* Auto-uploaded to central repository	+
−	* Email Notification when results are received	+
−	* 2 Default Scan Modes – Fast/Slow	+
−	* Separated output for faster analysis	+
−	* Pre/Post run changes report	+
−	* Configuration File approach	+
−	* Process priority throttling	+
−	=== Information Acquired through RAPIER ===	+	== Signed mail ==
−	* complete list of running processes	+
−	* locations of those processes on disk	+
−	* ports those processes are using	+
−	* Checksums for all running processes	+
−	* Dump memory for all running processes	+
−	* All DLLS currently loaded and their checksum	+
−	* Capture last Modify/Access/Create times for designated areas	+
−	* All files that are currently open	+
−	* Net (start/share/user/file/session)	+
−	* Output from nbtstat and netstat	+
−	* Document all open shares/exports on system	+
−	* Capture current routing tables	+
−	* List of all network connections	+
−	* Layer3 traffic samples	+
−	* capture logged in users	+
−	* System Startup Commands	+
−	* MAC address	+
−	* List of installed services	+
−	* Local account and policy information	+
−	* Current patches installed on system	+
−	* Current AV versions	+
−	* Files with alternate data streams	+
−	* Discover files marked as hidden	+
−	* List of all installed software on system (known to registry)	+
−	* Capture system logs	+
−	* Capture of AV logs	+
−	* Copies of application caches (temporary internet files) – IE, FF, Opera	+
−	* Export entire registry	+
−	* Search/retrieve files based on search criteria.	+
		+	Some other programs can be used by the sender to sign an email message. Programs such as [[PGP]], [[GnuPG]].
		+	=== PGP Messages ===
		+	Messages sent using PGP, or its free equivalents such as GnuPG, have the signature in the message body itself. Each message can be signed, encrypted, or both. Encrypted messages begin with the header
		+	<pre>-----BEGIN PGP MESSAGE-----</pre> followed by some optional headers. The optional headers may include the character set of the decoded message, the program and version that created the message, and an optional comment. The end of the message is noted with <pre>-----END PGP MESSAGE-----</pre> Between these two lines are a series of ASCII characters that represent the encrypted or signed message.
		+
		+	A signed message has the header <pre>-----BEGIN PGP SIGNATURE-----</pre> at the ''end'' of the signed message followed by the same optional headers as encrypted messages. The signature is usually three lines of ASCII characters.
	== See Also ==		== See Also ==
		+	* [[Using message id headers to determine if an email has been forged]]
−	[[List of Script Based Incident Response Tools]]	+	[[Category:Howtos]]
−		+
−	== External Links ==	+
−		+
−	* [http://code.google.com/p/rapier/ Official website]]	+
−	* [http://groups.google.com/group/rapier-development?hl=en Google Discussion Group]]	+
−	* [http://www.first.org/conference/2006/program/rapier_-_a_1st_responders_info_collection_tool.html Presentation at FIRST Conference 2006]	+
−		+
−	[[Category:Incident response tools]]	+

---

Revision as of 13:01, 29 April 2007

Contents 1 Domain Key Signatures 2 Signed mail 2.1 PGP Messages 3 See Also

Domain Key Signatures

These headers, included by the mail server, provide a signature of each message. See Gmail Header Format. The public keys are distributed via DNS.

Signed mail

Some other programs can be used by the sender to sign an email message. Programs such as PGP, GnuPG.

PGP Messages

Messages sent using PGP, or its free equivalents such as GnuPG, have the signature in the message body itself. Each message can be signed, encrypted, or both. Encrypted messages begin with the header

-----BEGIN PGP MESSAGE-----

followed by some optional headers. The optional headers may include the character set of the decoded message, the program and version that created the message, and an optional comment. The end of the message is noted with

-----END PGP MESSAGE-----

Between these two lines are a series of ASCII characters that represent the encrypted or signed message. A signed message has the header

-----BEGIN PGP SIGNATURE-----

at the end of the signed message followed by the same optional headers as encrypted messages. The signature is usually three lines of ASCII characters.

See Also

• Using message id headers to determine if an email has been forged