Difference between pages "TrueCrypt" and "Regimented Potential Incident Examination Report"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Keyfiles, plausible deniability.)
 
 
Line 1: Line 1:
'''TrueCrypt''' is an open source program to create and mount virtual encrypted disks in [[Windows|Windows Vista/XP/2000]] and Linux. It provides two levels of plausible deniability (hidden values / no signatures to make a distinction from random data), on the fly encryption and supports various encryption algorithms (AES-256, Serpent and Twofish).
+
{{Expand}}
 +
== Description ==
 +
The Regimented Potential Incident Examination Report ('''RPIER''' or '''RAPIER''') is script based [[Incident Response|incident response]] tool released under the [[:Category:GPL|GPL]] by [[Intel]]. It is a modular framework.
  
== Forensic Acquisition ==
+
RAPIER is a windows NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.
  
If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible unless you have the proper encryption key generated by a user's password. You may also need an additional datafile.
+
Contact: rapier.securitytool@gmail.com
  
==Attacks==
+
== Features ==
The only option for acquiring the content of a TrueCrypt drive is to do a brute-force password guessing attack. [[AccessData|AccessData's]] [[Password Recovery Toolkit]] and Distributed Network Attack ([[DNA]]) can both perform such an attack, but DNA is faster.
+
* Modular Design - all information acquired is through individual modules
 +
* Fully configurable GUI
 +
* SHA1 verification checksums
 +
* Auto-update functionality
 +
* Results can be auto-zipped 
 +
* Auto-uploaded to central repository
 +
* Email Notification when results are received
 +
* 2 Default Scan Modes – Fast/Slow
 +
* Separated output for faster analysis
 +
* Pre/Post run changes report
 +
* Configuration File approach
 +
* Process priority throttling
  
TrueCrypt also supports keyfiles (it uses the first 1024 kilobytes of any file, but can also use it's PRNG to generate such keys). It is important to look for anything that might be used as a keyfile (such as a 1024k file on a USB stick).
+
=== Information Acquired through RAPIER ===
 +
* complete list of running processes
 +
* locations of those processes on disk
 +
* ports those processes are using
 +
* Checksums for all running processes
 +
* Dump memory for all running processes
 +
* All DLLS currently loaded and their checksum
 +
* Capture last Modify/Access/Create times for designated areas
 +
* All files that are currently open
 +
* Net (start/share/user/file/session)
 +
* Output from nbtstat and netstat
 +
* Document all open shares/exports on system
 +
* Capture current routing tables
 +
* List of all network connections
 +
* Layer3 traffic samples
 +
* capture logged in users
 +
* System Startup Commands
 +
* MAC address
 +
* List of installed services
 +
* Local account and policy information
 +
* Current patches installed on system
 +
* Current AV versions
 +
* Files with alternate data streams
 +
* Discover files marked as hidden
 +
* List of all installed software on system (known to registry)
 +
* Capture system logs
 +
* Capture of AV logs
 +
* Copies of application caches (temporary internet files) – IE, FF, Opera
 +
* Export entire registry
 +
* Search/retrieve files based on search criteria.
  
The existence of a FAT volume may be an indication of the existence of hidden volumes (a hidden volume can only be created within a FAT TrueCrypt volume).
+
 
 +
 
 +
 
 +
== See Also ==
 +
 
 +
[[List of Script Based Incident Response Tools]]
  
 
== External Links ==
 
== External Links ==
  
* [http://www.truecrypt.org/ Official website]
+
* [http://code.google.com/p/rapier/ Official website]]
 +
* [http://groups.google.com/group/rapier-development?hl=en Google Discussion Group]]
 +
* [http://www.first.org/conference/2006/program/rapier_-_a_1st_responders_info_collection_tool.html Presentation at FIRST Conference 2006]
 +
 
 +
[[Category:Incident response tools]]

Revision as of 18:27, 6 May 2007

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Contents

Description

The Regimented Potential Incident Examination Report (RPIER or RAPIER) is script based incident response tool released under the GPL by Intel. It is a modular framework.

RAPIER is a windows NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.

Contact: rapier.securitytool@gmail.com

Features

  • Modular Design - all information acquired is through individual modules
  • Fully configurable GUI
  • SHA1 verification checksums
  • Auto-update functionality
  • Results can be auto-zipped
  • Auto-uploaded to central repository
  • Email Notification when results are received
  • 2 Default Scan Modes – Fast/Slow
  • Separated output for faster analysis
  • Pre/Post run changes report
  • Configuration File approach
  • Process priority throttling

Information Acquired through RAPIER

  • complete list of running processes
  • locations of those processes on disk
  • ports those processes are using
  • Checksums for all running processes
  • Dump memory for all running processes
  • All DLLS currently loaded and their checksum
  • Capture last Modify/Access/Create times for designated areas
  • All files that are currently open
  • Net (start/share/user/file/session)
  • Output from nbtstat and netstat
  • Document all open shares/exports on system
  • Capture current routing tables
  • List of all network connections
  • Layer3 traffic samples
  • capture logged in users
  • System Startup Commands
  • MAC address
  • List of installed services
  • Local account and policy information
  • Current patches installed on system
  • Current AV versions
  • Files with alternate data streams
  • Discover files marked as hidden
  • List of all installed software on system (known to registry)
  • Capture system logs
  • Capture of AV logs
  • Copies of application caches (temporary internet files) – IE, FF, Opera
  • Export entire registry
  • Search/retrieve files based on search criteria.



See Also

List of Script Based Incident Response Tools

External Links