Difference between pages "Regimented Potential Incident Examination Report" and "AFF Development Task List"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(High Priority)
 
Line 1: Line 1:
{{Expand}}
+
== High Priority ==
== Description ==
+
The Regimented Potential Incident Examination Report ('''RPIER''' or '''RAPIER''') is script based [[Incident Response|incident response]] tool released under the [[:Category:GPL|GPL]] by [[Intel]]. It is a modular framework.
+
  
RAPIER is a [[Windows]] NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.
+
* Create man pages and/or documentation for AFF toolkit. To wit:
  
Contact: rapier.securitytool@gmail.com
+
* [[aimage]]
 +
* [[ident]]
 +
* [[afcat]]
 +
* [[afcompare]]
 +
* [[afconvert]]
 +
* [[affix]]
 +
* [[affuse]]
 +
* [[afinfo]]
 +
* [[afstats]]
 +
* [[afxml]]
 +
* [[afsegment]]
  
== Features ==
+
* Create man pages and/or documentation for AFF library functions (e.g. ,<tt>af_open</tt>, <tt>af_get_imagesize</tt>)
  
* Modular Design - all information acquired is through individual modules
+
* Build library as a shared library using libtool. This will allow developers using the library to just link to the AFF. Without it, developers must link to the static library and the individual libraries necessary <em>on that machine</em>. There is no good way to determine those extra libraries.
* Fully configurable GUI
+
* [[SHA1]] verification checksums
+
* Auto-update functionality
+
* Results can be auto-zipped 
+
* Auto-uploaded to central repository
+
* Email Notification when results are received
+
* 2 Default Scan Modes – Fast/Slow
+
* Separated output for faster analysis
+
* Pre/Post run changes report
+
* Configuration File approach
+
* Process priority throttling
+
  
=== Information Acquired through RAPIER ===
+
== Medium Priority ==
  
* Complete list of running processes
+
* How about renaming the library to libaff? That would allow developers to link with <tt>-laff</tt> instead of <tt>-lafflib</tt>. To my knowledge, there is no existing library named AFF already.
* Locations of those processes on disk
+
* Ports those processes are using
+
* Checksums for all running processes
+
* Memory dumps for all running processes
+
* All DLLS currently loaded and their checksum
+
* Last Modify/Access/Create times ([[MAC times]]) for designated areas
+
* All files that are currently open
+
* Net (start/share/user/file/session)
+
* Output from nbtstat and [[netstat]]
+
* All open shares/exports on system
+
* Current routing tables
+
* List of all network connections
+
* Layer3 traffic samples
+
* Logged in users
+
* System Startup Commands
+
* [[MAC address]]
+
* List of installed services
+
* Local account and policy information
+
* Current patches installed on system
+
* Current AV versions
+
* Files with alternate data streams (ADS)
+
* Files marked as hidden
+
* List of all installed software on system (known to registry)
+
* System logs
+
* AV logs
+
* Copies of application caches (temporary internet files) – [[Internet Explorer|IE]], [[Mozilla Firefox|FF]], [[Opera]]
+
* Export entire registry
+
* Search/retrieve files based on search criteria.
+
  
== See Also ==
+
== Low Priority ==
  
[[List of Script Based Incident Response Tools]]
+
* Add library function to open standard input. Perhaps:
  
== External Links ==
+
<pre>AFFILE * af_open_stdin(void);</pre>
 
+
* [http://code.google.com/p/rapier/ Official website]
+
* [http://groups.google.com/group/rapier-development?hl=en Google Discussion Group]
+
* [http://www.first.org/conference/2006/program/rapier_-_a_1st_responders_info_collection_tool.html Presentation at FIRST Conference 2006]
+
 
+
[[Category:Incident response tools]]
+

Revision as of 08:00, 23 July 2007

High Priority

  • Create man pages and/or documentation for AFF toolkit. To wit:
* aimage
* ident
* afcat
* afcompare
* afconvert
* affix
* affuse
* afinfo
* afstats
* afxml
* afsegment
  • Create man pages and/or documentation for AFF library functions (e.g. ,af_open, af_get_imagesize)
  • Build library as a shared library using libtool. This will allow developers using the library to just link to the AFF. Without it, developers must link to the static library and the individual libraries necessary on that machine. There is no good way to determine those extra libraries.

Medium Priority

  • How about renaming the library to libaff? That would allow developers to link with -laff instead of -lafflib. To my knowledge, there is no existing library named AFF already.

Low Priority

  • Add library function to open standard input. Perhaps:
AFFILE * af_open_stdin(void);