Difference between revisions of "Regimented Potential Incident Examination Report"

From ForensicsWiki
Jump to: navigation, search
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
 
{{Expand}}
 
{{Expand}}
 +
 +
{{Infobox_Software |
 +
  name = RAPIER |
 +
  maintainer = Rapier project |
 +
  os = {{Windows}} |
 +
  genre = {{Incident response}} |
 +
  license = {{LGPL}} |
 +
  website = [https://code.google.com/p/rapier/ code.google.com/p/rapier/] |
 +
}}
 +
 
== Description ==
 
== Description ==
 
The Regimented Potential Incident Examination Report ('''RPIER''' or '''RAPIER''') is script based [[Incident Response|incident response]] tool released under the [[:Category:GPL|GPL]] by [[Intel]]. It is a modular framework.
 
The Regimented Potential Incident Examination Report ('''RPIER''' or '''RAPIER''') is script based [[Incident Response|incident response]] tool released under the [[:Category:GPL|GPL]] by [[Intel]]. It is a modular framework.
  
RAPIER is a windows NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.
+
RAPIER is a [[Windows]] NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.
  
 
Contact: rapier.securitytool@gmail.com
 
Contact: rapier.securitytool@gmail.com
  
 
== Features ==
 
== Features ==
 +
 
* Modular Design - all information acquired is through individual modules
 
* Modular Design - all information acquired is through individual modules
 
* Fully configurable GUI
 
* Fully configurable GUI
* SHA1 verification checksums
+
* [[SHA1]] verification checksums
 
* Auto-update functionality
 
* Auto-update functionality
 
* Results can be auto-zipped   
 
* Results can be auto-zipped   
Line 22: Line 33:
  
 
=== Information Acquired through RAPIER ===
 
=== Information Acquired through RAPIER ===
* complete list of running processes
+
 
* locations of those processes on disk
+
* Complete list of running processes
* ports those processes are using
+
* Locations of those processes on disk
 +
* Ports those processes are using
 
* Checksums for all running processes
 
* Checksums for all running processes
* Dump memory for all running processes
+
* Memory dumps for all running processes
 
* All DLLS currently loaded and their checksum
 
* All DLLS currently loaded and their checksum
* Capture last Modify/Access/Create times for designated areas
+
* Last Modify/Access/Create times ([[MAC times]]) for designated areas
 
* All files that are currently open
 
* All files that are currently open
 
* Net (start/share/user/file/session)
 
* Net (start/share/user/file/session)
* Output from nbtstat and netstat
+
* Output from nbtstat and [[netstat]]
* Document all open shares/exports on system
+
* All open shares/exports on system
* Capture current routing tables
+
* Current routing tables
 
* List of all network connections  
 
* List of all network connections  
 
* Layer3 traffic samples
 
* Layer3 traffic samples
* capture logged in users
+
* Logged in users
 
* System Startup Commands
 
* System Startup Commands
* MAC address
+
* [[MAC address]]
 
* List of installed services
 
* List of installed services
 
* Local account and policy information
 
* Local account and policy information
 
* Current patches installed on system
 
* Current patches installed on system
 
* Current AV versions
 
* Current AV versions
* Files with alternate data streams
+
* Files with alternate data streams (ADS)
* Discover files marked as hidden
+
* Files marked as hidden
 
* List of all installed software on system (known to registry)
 
* List of all installed software on system (known to registry)
* Capture system logs  
+
* System logs  
* Capture of AV logs
+
* AV logs
* Copies of application caches (temporary internet files) – IE, FF, Opera
+
* Copies of application caches (temporary internet files) – [[Internet Explorer|IE]], [[Mozilla Firefox|FF]], [[Opera]]
 
* Export entire registry
 
* Export entire registry
 
* Search/retrieve files based on search criteria.
 
* Search/retrieve files based on search criteria.
 
 
 
  
 
== See Also ==
 
== See Also ==
Line 61: Line 70:
 
== External Links ==
 
== External Links ==
  
* [http://code.google.com/p/rapier/ Official website]]
+
* [http://code.google.com/p/rapier/ Official website]
* [http://groups.google.com/group/rapier-development?hl=en Google Discussion Group]]
+
* [http://groups.google.com/group/rapier-development?hl=en Google Discussion Group]
 
* [http://www.first.org/conference/2006/program/rapier_-_a_1st_responders_info_collection_tool.html Presentation at FIRST Conference 2006]
 
* [http://www.first.org/conference/2006/program/rapier_-_a_1st_responders_info_collection_tool.html Presentation at FIRST Conference 2006]
 
[[Category:Incident response tools]]
 

Latest revision as of 05:52, 18 January 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

RAPIER
Maintainer: Rapier project
OS: Windows
Genre: Incident Response
License: LGPL
Website: code.google.com/p/rapier/

Description

The Regimented Potential Incident Examination Report (RPIER or RAPIER) is script based incident response tool released under the GPL by Intel. It is a modular framework.

RAPIER is a Windows NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.

Contact: rapier.securitytool@gmail.com

Features

  • Modular Design - all information acquired is through individual modules
  • Fully configurable GUI
  • SHA1 verification checksums
  • Auto-update functionality
  • Results can be auto-zipped
  • Auto-uploaded to central repository
  • Email Notification when results are received
  • 2 Default Scan Modes – Fast/Slow
  • Separated output for faster analysis
  • Pre/Post run changes report
  • Configuration File approach
  • Process priority throttling

Information Acquired through RAPIER

  • Complete list of running processes
  • Locations of those processes on disk
  • Ports those processes are using
  • Checksums for all running processes
  • Memory dumps for all running processes
  • All DLLS currently loaded and their checksum
  • Last Modify/Access/Create times (MAC times) for designated areas
  • All files that are currently open
  • Net (start/share/user/file/session)
  • Output from nbtstat and netstat
  • All open shares/exports on system
  • Current routing tables
  • List of all network connections
  • Layer3 traffic samples
  • Logged in users
  • System Startup Commands
  • MAC address
  • List of installed services
  • Local account and policy information
  • Current patches installed on system
  • Current AV versions
  • Files with alternate data streams (ADS)
  • Files marked as hidden
  • List of all installed software on system (known to registry)
  • System logs
  • AV logs
  • Copies of application caches (temporary internet files) – IE, FF, Opera
  • Export entire registry
  • Search/retrieve files based on search criteria.

See Also

List of Script Based Incident Response Tools

External Links