Difference between revisions of "Regimented Potential Incident Examination Report"
From Forensics Wiki
Pdxsharkey (Talk | contribs) |
|||
| Line 3: | Line 3: | ||
The Regimented Potential Incident Examination Report ('''RPIER''' or '''RAPIER''') is script based [[Incident Response|incident response]] tool released under the [[:Category:GPL|GPL]] by [[Intel]]. It is a modular framework. | The Regimented Potential Incident Examination Report ('''RPIER''' or '''RAPIER''') is script based [[Incident Response|incident response]] tool released under the [[:Category:GPL|GPL]] by [[Intel]]. It is a modular framework. | ||
| − | RAPIER is a | + | RAPIER is a [[Windows]] NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system. |
Contact: rapier.securitytool@gmail.com | Contact: rapier.securitytool@gmail.com | ||
== Features == | == Features == | ||
| + | |||
* Modular Design - all information acquired is through individual modules | * Modular Design - all information acquired is through individual modules | ||
* Fully configurable GUI | * Fully configurable GUI | ||
| − | * SHA1 verification checksums | + | * [[SHA1]] verification checksums |
* Auto-update functionality | * Auto-update functionality | ||
* Results can be auto-zipped | * Results can be auto-zipped | ||
| Line 22: | Line 23: | ||
=== Information Acquired through RAPIER === | === Information Acquired through RAPIER === | ||
| − | * | + | |
| − | * | + | * Complete list of running processes |
| − | * | + | * Locations of those processes on disk |
| + | * Ports those processes are using | ||
* Checksums for all running processes | * Checksums for all running processes | ||
| − | * | + | * Memory dumps for all running processes |
* All DLLS currently loaded and their checksum | * All DLLS currently loaded and their checksum | ||
| − | * | + | * Last Modify/Access/Create times ([[MAC times]]) for designated areas |
* All files that are currently open | * All files that are currently open | ||
* Net (start/share/user/file/session) | * Net (start/share/user/file/session) | ||
| − | * Output from nbtstat and netstat | + | * Output from nbtstat and [[netstat]] |
| − | * | + | * All open shares/exports on system |
| − | * | + | * Current routing tables |
* List of all network connections | * List of all network connections | ||
* Layer3 traffic samples | * Layer3 traffic samples | ||
| − | * | + | * Logged in users |
* System Startup Commands | * System Startup Commands | ||
| − | * MAC address | + | * [[MAC address]] |
* List of installed services | * List of installed services | ||
* Local account and policy information | * Local account and policy information | ||
* Current patches installed on system | * Current patches installed on system | ||
* Current AV versions | * Current AV versions | ||
| − | * Files with alternate data streams | + | * Files with alternate data streams (ADS) |
| − | * | + | * Files marked as hidden |
* List of all installed software on system (known to registry) | * List of all installed software on system (known to registry) | ||
| − | * | + | * System logs |
| − | * | + | * AV logs |
| − | * Copies of application caches (temporary internet files) – IE, FF, Opera | + | * Copies of application caches (temporary internet files) – [[Internet Explorer|IE]], [[Mozilla Firefox|FF]], [[Opera]] |
* Export entire registry | * Export entire registry | ||
* Search/retrieve files based on search criteria. | * Search/retrieve files based on search criteria. | ||
| − | |||
| − | |||
| − | |||
== See Also == | == See Also == | ||
| Line 61: | Line 60: | ||
== External Links == | == External Links == | ||
| − | * [http://code.google.com/p/rapier/ Official website | + | * [http://code.google.com/p/rapier/ Official website] |
| − | * [http://groups.google.com/group/rapier-development?hl=en Google Discussion Group | + | * [http://groups.google.com/group/rapier-development?hl=en Google Discussion Group] |
* [http://www.first.org/conference/2006/program/rapier_-_a_1st_responders_info_collection_tool.html Presentation at FIRST Conference 2006] | * [http://www.first.org/conference/2006/program/rapier_-_a_1st_responders_info_collection_tool.html Presentation at FIRST Conference 2006] | ||
[[Category:Incident response tools]] | [[Category:Incident response tools]] | ||
Latest revision as of 15:04, 13 September 2008
|
|
Please help to improve this article by expanding it.
|
Contents |
[edit] Description
The Regimented Potential Incident Examination Report (RPIER or RAPIER) is script based incident response tool released under the GPL by Intel. It is a modular framework.
RAPIER is a Windows NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.
Contact: rapier.securitytool@gmail.com
[edit] Features
- Modular Design - all information acquired is through individual modules
- Fully configurable GUI
- SHA1 verification checksums
- Auto-update functionality
- Results can be auto-zipped
- Auto-uploaded to central repository
- Email Notification when results are received
- 2 Default Scan Modes – Fast/Slow
- Separated output for faster analysis
- Pre/Post run changes report
- Configuration File approach
- Process priority throttling
[edit] Information Acquired through RAPIER
- Complete list of running processes
- Locations of those processes on disk
- Ports those processes are using
- Checksums for all running processes
- Memory dumps for all running processes
- All DLLS currently loaded and their checksum
- Last Modify/Access/Create times (MAC times) for designated areas
- All files that are currently open
- Net (start/share/user/file/session)
- Output from nbtstat and netstat
- All open shares/exports on system
- Current routing tables
- List of all network connections
- Layer3 traffic samples
- Logged in users
- System Startup Commands
- MAC address
- List of installed services
- Local account and policy information
- Current patches installed on system
- Current AV versions
- Files with alternate data streams (ADS)
- Files marked as hidden
- List of all installed software on system (known to registry)
- System logs
- AV logs
- Copies of application caches (temporary internet files) – IE, FF, Opera
- Export entire registry
- Search/retrieve files based on search criteria.
[edit] See Also
List of Script Based Incident Response Tools
