Difference between revisions of "Regimented Potential Incident Examination Report"
From ForensicsWiki
m (Fixed GPL Link) |
Joachim Metz (Talk | contribs) |
||
| (8 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
{{Expand}} | {{Expand}} | ||
| + | {{Infobox_Software | | ||
| + | name = RAPIER | | ||
| + | maintainer = Rapier project | | ||
| + | os = {{Windows}} | | ||
| + | genre = {{Incident response}} | | ||
| + | license = {{LGPL}} | | ||
| + | website = [https://code.google.com/p/rapier/ code.google.com/p/rapier/] | | ||
| + | }} | ||
| + | |||
| + | == Description == | ||
The Regimented Potential Incident Examination Report ('''RPIER''' or '''RAPIER''') is script based [[Incident Response|incident response]] tool released under the [[:Category:GPL|GPL]] by [[Intel]]. It is a modular framework. | The Regimented Potential Incident Examination Report ('''RPIER''' or '''RAPIER''') is script based [[Incident Response|incident response]] tool released under the [[:Category:GPL|GPL]] by [[Intel]]. It is a modular framework. | ||
| + | |||
| + | RAPIER is a [[Windows]] NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system. | ||
| + | |||
| + | Contact: rapier.securitytool@gmail.com | ||
| + | |||
| + | == Features == | ||
| + | |||
| + | * Modular Design - all information acquired is through individual modules | ||
| + | * Fully configurable GUI | ||
| + | * [[SHA1]] verification checksums | ||
| + | * Auto-update functionality | ||
| + | * Results can be auto-zipped | ||
| + | * Auto-uploaded to central repository | ||
| + | * Email Notification when results are received | ||
| + | * 2 Default Scan Modes – Fast/Slow | ||
| + | * Separated output for faster analysis | ||
| + | * Pre/Post run changes report | ||
| + | * Configuration File approach | ||
| + | * Process priority throttling | ||
| + | |||
| + | === Information Acquired through RAPIER === | ||
| + | |||
| + | * Complete list of running processes | ||
| + | * Locations of those processes on disk | ||
| + | * Ports those processes are using | ||
| + | * Checksums for all running processes | ||
| + | * Memory dumps for all running processes | ||
| + | * All DLLS currently loaded and their checksum | ||
| + | * Last Modify/Access/Create times ([[MAC times]]) for designated areas | ||
| + | * All files that are currently open | ||
| + | * Net (start/share/user/file/session) | ||
| + | * Output from nbtstat and [[netstat]] | ||
| + | * All open shares/exports on system | ||
| + | * Current routing tables | ||
| + | * List of all network connections | ||
| + | * Layer3 traffic samples | ||
| + | * Logged in users | ||
| + | * System Startup Commands | ||
| + | * [[MAC address]] | ||
| + | * List of installed services | ||
| + | * Local account and policy information | ||
| + | * Current patches installed on system | ||
| + | * Current AV versions | ||
| + | * Files with alternate data streams (ADS) | ||
| + | * Files marked as hidden | ||
| + | * List of all installed software on system (known to registry) | ||
| + | * System logs | ||
| + | * AV logs | ||
| + | * Copies of application caches (temporary internet files) – [[Internet Explorer|IE]], [[Mozilla Firefox|FF]], [[Opera]] | ||
| + | * Export entire registry | ||
| + | * Search/retrieve files based on search criteria. | ||
== See Also == | == See Also == | ||
| Line 9: | Line 70: | ||
== External Links == | == External Links == | ||
| − | * [http:// | + | * [http://code.google.com/p/rapier/ Official website] |
| + | * [http://groups.google.com/group/rapier-development?hl=en Google Discussion Group] | ||
* [http://www.first.org/conference/2006/program/rapier_-_a_1st_responders_info_collection_tool.html Presentation at FIRST Conference 2006] | * [http://www.first.org/conference/2006/program/rapier_-_a_1st_responders_info_collection_tool.html Presentation at FIRST Conference 2006] | ||
Latest revision as of 04:52, 18 January 2014
|
|
Please help to improve this article by expanding it.
|
| RAPIER | |
|---|---|
| Maintainer: | Rapier project |
| OS: | Windows |
| Genre: | Incident Response |
| License: | LGPL |
| Website: | code.google.com/p/rapier/ |
Contents
Description
The Regimented Potential Incident Examination Report (RPIER or RAPIER) is script based incident response tool released under the GPL by Intel. It is a modular framework.
RAPIER is a Windows NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.
Contact: rapier.securitytool@gmail.com
Features
- Modular Design - all information acquired is through individual modules
- Fully configurable GUI
- SHA1 verification checksums
- Auto-update functionality
- Results can be auto-zipped
- Auto-uploaded to central repository
- Email Notification when results are received
- 2 Default Scan Modes – Fast/Slow
- Separated output for faster analysis
- Pre/Post run changes report
- Configuration File approach
- Process priority throttling
Information Acquired through RAPIER
- Complete list of running processes
- Locations of those processes on disk
- Ports those processes are using
- Checksums for all running processes
- Memory dumps for all running processes
- All DLLS currently loaded and their checksum
- Last Modify/Access/Create times (MAC times) for designated areas
- All files that are currently open
- Net (start/share/user/file/session)
- Output from nbtstat and netstat
- All open shares/exports on system
- Current routing tables
- List of all network connections
- Layer3 traffic samples
- Logged in users
- System Startup Commands
- MAC address
- List of installed services
- Local account and policy information
- Current patches installed on system
- Current AV versions
- Files with alternate data streams (ADS)
- Files marked as hidden
- List of all installed software on system (known to registry)
- System logs
- AV logs
- Copies of application caches (temporary internet files) – IE, FF, Opera
- Export entire registry
- Search/retrieve files based on search criteria.
See Also
List of Script Based Incident Response Tools
