Regimented Potential Incident Examination Report

From Forensics Wiki
Jump to: navigation, search

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

RAPIER
Maintainer: Rapier project
OS: Windows
Genre: Incident Response
License: LGPL
Website: code.google.com/p/rapier/

Contents

Description

The Regimented Potential Incident Examination Report (RPIER or RAPIER) is script based incident response tool released under the GPL by Intel. It is a modular framework.

RAPIER is a Windows NT based information gathering framework. It was designed to streamline the acquisition of information off of systems in a large scale enterprise network. It was designed with a pretty simple to use GUI so that end-users could be walked through execution of the tool on a system.

Contact: rapier.securitytool@gmail.com

Features

  • Modular Design - all information acquired is through individual modules
  • Fully configurable GUI
  • SHA1 verification checksums
  • Auto-update functionality
  • Results can be auto-zipped
  • Auto-uploaded to central repository
  • Email Notification when results are received
  • 2 Default Scan Modes – Fast/Slow
  • Separated output for faster analysis
  • Pre/Post run changes report
  • Configuration File approach
  • Process priority throttling

Information Acquired through RAPIER

  • Complete list of running processes
  • Locations of those processes on disk
  • Ports those processes are using
  • Checksums for all running processes
  • Memory dumps for all running processes
  • All DLLS currently loaded and their checksum
  • Last Modify/Access/Create times (MAC times) for designated areas
  • All files that are currently open
  • Net (start/share/user/file/session)
  • Output from nbtstat and netstat
  • All open shares/exports on system
  • Current routing tables
  • List of all network connections
  • Layer3 traffic samples
  • Logged in users
  • System Startup Commands
  • MAC address
  • List of installed services
  • Local account and policy information
  • Current patches installed on system
  • Current AV versions
  • Files with alternate data streams (ADS)
  • Files marked as hidden
  • List of all installed software on system (known to registry)
  • System logs
  • AV logs
  • Copies of application caches (temporary internet files) – IE, FF, Opera
  • Export entire registry
  • Search/retrieve files based on search criteria.

See Also

List of Script Based Incident Response Tools

External Links