Difference between revisions of "Regimented Potential Incident Examination Report"

From ForensicsWiki
Jump to: navigation, search
Line 3: Line 3:
 
The Regimented Potential Incident Examination Report ('''RPIER''' or '''RAPIER''') is script based [[Incident Response|incident response]] tool released under the [[:Category:GPL|GPL]] by [[Intel]]. It is a modular framework.
 
The Regimented Potential Incident Examination Report ('''RPIER''' or '''RAPIER''') is script based [[Incident Response|incident response]] tool released under the [[:Category:GPL|GPL]] by [[Intel]]. It is a modular framework.
  
RAPIER is a windows NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.
+
RAPIER is a [[Windows]] NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.
  
 
Contact: rapier.securitytool@gmail.com
 
Contact: rapier.securitytool@gmail.com
  
 
== Features ==
 
== Features ==
 +
 
* Modular Design - all information acquired is through individual modules
 
* Modular Design - all information acquired is through individual modules
 
* Fully configurable GUI
 
* Fully configurable GUI
* SHA1 verification checksums
+
* [[SHA1]] verification checksums
 
* Auto-update functionality
 
* Auto-update functionality
 
* Results can be auto-zipped   
 
* Results can be auto-zipped   
Line 22: Line 23:
  
 
=== Information Acquired through RAPIER ===
 
=== Information Acquired through RAPIER ===
* complete list of running processes
+
 
* locations of those processes on disk
+
* Complete list of running processes
* ports those processes are using
+
* Locations of those processes on disk
 +
* Ports those processes are using
 
* Checksums for all running processes
 
* Checksums for all running processes
* Dump memory for all running processes
+
* Memory dumps for all running processes
 
* All DLLS currently loaded and their checksum
 
* All DLLS currently loaded and their checksum
* Capture last Modify/Access/Create times for designated areas
+
* Last Modify/Access/Create times ([[MAC times]]) for designated areas
 
* All files that are currently open
 
* All files that are currently open
 
* Net (start/share/user/file/session)
 
* Net (start/share/user/file/session)
* Output from nbtstat and netstat
+
* Output from nbtstat and [[netstat]]
* Document all open shares/exports on system
+
* All open shares/exports on system
* Capture current routing tables
+
* Current routing tables
 
* List of all network connections  
 
* List of all network connections  
 
* Layer3 traffic samples
 
* Layer3 traffic samples
* capture logged in users
+
* Logged in users
 
* System Startup Commands
 
* System Startup Commands
* MAC address
+
* [[MAC address]]
 
* List of installed services
 
* List of installed services
 
* Local account and policy information
 
* Local account and policy information
 
* Current patches installed on system
 
* Current patches installed on system
 
* Current AV versions
 
* Current AV versions
* Files with alternate data streams
+
* Files with alternate data streams (ADS)
* Discover files marked as hidden
+
* Files marked as hidden
 
* List of all installed software on system (known to registry)
 
* List of all installed software on system (known to registry)
* Capture system logs  
+
* System logs  
* Capture of AV logs
+
* AV logs
* Copies of application caches (temporary internet files) – IE, FF, Opera
+
* Copies of application caches (temporary internet files) – [[Internet Explorer|IE]], [[Mozilla Firefox|FF]], [[Opera]]
 
* Export entire registry
 
* Export entire registry
 
* Search/retrieve files based on search criteria.
 
* Search/retrieve files based on search criteria.
 
 
 
  
 
== See Also ==
 
== See Also ==
Line 61: Line 60:
 
== External Links ==
 
== External Links ==
  
* [http://code.google.com/p/rapier/ Official website]]
+
* [http://code.google.com/p/rapier/ Official website]
* [http://groups.google.com/group/rapier-development?hl=en Google Discussion Group]]
+
* [http://groups.google.com/group/rapier-development?hl=en Google Discussion Group]
 
* [http://www.first.org/conference/2006/program/rapier_-_a_1st_responders_info_collection_tool.html Presentation at FIRST Conference 2006]
 
* [http://www.first.org/conference/2006/program/rapier_-_a_1st_responders_info_collection_tool.html Presentation at FIRST Conference 2006]
  
 
[[Category:Incident response tools]]
 
[[Category:Incident response tools]]

Revision as of 16:04, 13 September 2008

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Description

The Regimented Potential Incident Examination Report (RPIER or RAPIER) is script based incident response tool released under the GPL by Intel. It is a modular framework.

RAPIER is a Windows NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.

Contact: rapier.securitytool@gmail.com

Features

  • Modular Design - all information acquired is through individual modules
  • Fully configurable GUI
  • SHA1 verification checksums
  • Auto-update functionality
  • Results can be auto-zipped
  • Auto-uploaded to central repository
  • Email Notification when results are received
  • 2 Default Scan Modes – Fast/Slow
  • Separated output for faster analysis
  • Pre/Post run changes report
  • Configuration File approach
  • Process priority throttling

Information Acquired through RAPIER

  • Complete list of running processes
  • Locations of those processes on disk
  • Ports those processes are using
  • Checksums for all running processes
  • Memory dumps for all running processes
  • All DLLS currently loaded and their checksum
  • Last Modify/Access/Create times (MAC times) for designated areas
  • All files that are currently open
  • Net (start/share/user/file/session)
  • Output from nbtstat and netstat
  • All open shares/exports on system
  • Current routing tables
  • List of all network connections
  • Layer3 traffic samples
  • Logged in users
  • System Startup Commands
  • MAC address
  • List of installed services
  • Local account and policy information
  • Current patches installed on system
  • Current AV versions
  • Files with alternate data streams (ADS)
  • Files marked as hidden
  • List of all installed software on system (known to registry)
  • System logs
  • AV logs
  • Copies of application caches (temporary internet files) – IE, FF, Opera
  • Export entire registry
  • Search/retrieve files based on search criteria.

See Also

List of Script Based Incident Response Tools

External Links