Difference between revisions of "Regimented Potential Incident Examination Report"

From ForensicsWiki
Jump to: navigation, search
m
 
(9 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
{{Expand}}
 
{{Expand}}
  
The Regimented Potential Incident Examination Report ('''RPIER''' or '''RAPIER''') is script based [[Incident Response|incident response]] tool released under the [[GPL]] by [[Intel]]. It is a modular framework.
+
{{Infobox_Software |
 +
  name = RAPIER |
 +
  maintainer = Rapier project |
 +
  os = {{Windows}} |
 +
  genre = {{Incident response}} |
 +
  license = {{LGPL}} |
 +
  website = [https://code.google.com/p/rapier/ code.google.com/p/rapier/] |
 +
}}
 +
 
 +
== Description ==
 +
The Regimented Potential Incident Examination Report ('''RPIER''' or '''RAPIER''') is script based [[Incident Response|incident response]] tool released under the [[:Category:GPL|GPL]] by [[Intel]]. It is a modular framework.
 +
 
 +
RAPIER is a [[Windows]] NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.
 +
 
 +
Contact: rapier.securitytool@gmail.com
 +
 
 +
== Features ==
 +
 
 +
* Modular Design - all information acquired is through individual modules
 +
* Fully configurable GUI
 +
* [[SHA1]] verification checksums
 +
* Auto-update functionality
 +
* Results can be auto-zipped 
 +
* Auto-uploaded to central repository
 +
* Email Notification when results are received
 +
* 2 Default Scan Modes – Fast/Slow
 +
* Separated output for faster analysis
 +
* Pre/Post run changes report
 +
* Configuration File approach
 +
* Process priority throttling
 +
 
 +
=== Information Acquired through RAPIER ===
 +
 
 +
* Complete list of running processes
 +
* Locations of those processes on disk
 +
* Ports those processes are using
 +
* Checksums for all running processes
 +
* Memory dumps for all running processes
 +
* All DLLS currently loaded and their checksum
 +
* Last Modify/Access/Create times ([[MAC times]]) for designated areas
 +
* All files that are currently open
 +
* Net (start/share/user/file/session)
 +
* Output from nbtstat and [[netstat]]
 +
* All open shares/exports on system
 +
* Current routing tables
 +
* List of all network connections
 +
* Layer3 traffic samples
 +
* Logged in users
 +
* System Startup Commands
 +
* [[MAC address]]
 +
* List of installed services
 +
* Local account and policy information
 +
* Current patches installed on system
 +
* Current AV versions
 +
* Files with alternate data streams (ADS)
 +
* Files marked as hidden
 +
* List of all installed software on system (known to registry)
 +
* System logs
 +
* AV logs
 +
* Copies of application caches (temporary internet files) – [[Internet Explorer|IE]], [[Mozilla Firefox|FF]], [[Opera]]
 +
* Export entire registry
 +
* Search/retrieve files based on search criteria.
  
 
== See Also ==
 
== See Also ==
Line 9: Line 70:
 
== External Links ==
 
== External Links ==
  
* [http://sourceforge.net/projects/rpier Official website]]
+
* [http://code.google.com/p/rapier/ Official website]
 +
* [http://groups.google.com/group/rapier-development?hl=en Google Discussion Group]
 
* [http://www.first.org/conference/2006/program/rapier_-_a_1st_responders_info_collection_tool.html Presentation at FIRST Conference 2006]
 
* [http://www.first.org/conference/2006/program/rapier_-_a_1st_responders_info_collection_tool.html Presentation at FIRST Conference 2006]

Latest revision as of 05:52, 18 January 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

RAPIER
Maintainer: Rapier project
OS: Windows
Genre: Incident Response
License: LGPL
Website: code.google.com/p/rapier/

Description

The Regimented Potential Incident Examination Report (RPIER or RAPIER) is script based incident response tool released under the GPL by Intel. It is a modular framework.

RAPIER is a Windows NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.

Contact: rapier.securitytool@gmail.com

Features

  • Modular Design - all information acquired is through individual modules
  • Fully configurable GUI
  • SHA1 verification checksums
  • Auto-update functionality
  • Results can be auto-zipped
  • Auto-uploaded to central repository
  • Email Notification when results are received
  • 2 Default Scan Modes – Fast/Slow
  • Separated output for faster analysis
  • Pre/Post run changes report
  • Configuration File approach
  • Process priority throttling

Information Acquired through RAPIER

  • Complete list of running processes
  • Locations of those processes on disk
  • Ports those processes are using
  • Checksums for all running processes
  • Memory dumps for all running processes
  • All DLLS currently loaded and their checksum
  • Last Modify/Access/Create times (MAC times) for designated areas
  • All files that are currently open
  • Net (start/share/user/file/session)
  • Output from nbtstat and netstat
  • All open shares/exports on system
  • Current routing tables
  • List of all network connections
  • Layer3 traffic samples
  • Logged in users
  • System Startup Commands
  • MAC address
  • List of installed services
  • Local account and policy information
  • Current patches installed on system
  • Current AV versions
  • Files with alternate data streams (ADS)
  • Files marked as hidden
  • List of all installed software on system (known to registry)
  • System logs
  • AV logs
  • Copies of application caches (temporary internet files) – IE, FF, Opera
  • Export entire registry
  • Search/retrieve files based on search criteria.

See Also

List of Script Based Incident Response Tools

External Links