intel r regimented potential incident examination report
play

Intel (R) Regimented Potential Incident Examination Report: An - PowerPoint PPT Presentation

Apr 12, 2023 •166 likes •442 views

Intel (R) Regimented Potential Incident Examination Report: An information gathering windows framework Steve Mancini Joe Schwendt 2006 FIRST Conference R.P.I.E.R. ? R egimented P otential I ncident E xamination R eport June 29, 2006 RAPIER

  1. Intel (R) Regimented Potential Incident Examination Report: An information gathering windows framework Steve Mancini Joe Schwendt 2006 FIRST Conference

  2. R.P.I.E.R. ? R egimented P otential I ncident E xamination R eport June 29, 2006 RAPIER - 2006 FIRST Conference 2

  3. What’s in a Name? RAPIER vs RPIER Intel (R) RPIER is the name of the official GPL release of the tool. So please erase the A from all your presentations when you get home so we don’t get fired. ☺ June 29, 2006 RAPIER - 2006 FIRST Conference 3

  4. Introduction to RPIER RPIER is.. RPIER is not.. RPIER is a modular RPIER is not a forensics tool. incident response framework designed to It does not honor most acquire commonly industry guidelines for a requested information proper forensics during an internal examination with regard event, incident, or to not affecting the image investigation in an or files upon the system easy, consistent manner. RPIER was a way for a unix guy (Steve) to gather windows data in the environment. June 29, 2006 RAPIER - 2006 FIRST Conference 4

  5. Attribution Jesse Kornblum FRED First Responders Evidence Disk June 29, 2006 RAPIER - 2006 FIRST Conference 5

  6. Purpose for RPIER 4:25 The worst time to learn how to acquire information from � a system is during the incident. Common reaction to an event is to patch, run AV � scanners, spyware scanners, automatic OS updater, etc to get it working condition as soon as possible. Not everyone � (1) knows how to acquire the requested information nor � (2) do they acquire it in the same fashion � June 29, 2006 RAPIER - 2006 FIRST Conference 6

  7. Incident Handling BKMs � Introduce a limited number of decisions by the 1st responder that could result in differing results � Automate where possible to free up incident handler’s focus for bigger event issues � Provide a complete lifecycle for information gathering from start to delivery of data � Expedite the acquisition of information since time is of the essence � Comprehend all data that could be requested by analysts and gathers it during 1st execution of the tool June 29, 2006 RAPIER - 2006 FIRST Conference 7

  8. RPIER: Work Flow Download Update Select Execute Upload Notify Analysis June 29, 2006 RAPIER - 2006 FIRST Conference 8

  9. RPIER Features Stand Alone � Modular Design � Fully configurable GUI � SHA1 verification checksums � Auto-update functionality � Results can be auto-zipped � Auto-uploaded to central � repository Email Notification when � results are received 2 Quick Scan Modes – � Fast/Slow Separated output for faster � analysis Pre/Post run changes report � Fully automatable via � command line and conf file Process affinity throttling � June 29, 2006 RAPIER - 2006 FIRST Conference 9

  10. Command Line Arguments � Data Bundling Options � Program Execution Priority � Email Header Information � Path Definitions � Webservice URLs � Integrity Check options � And a whole lot more... June 29, 2006 RAPIER - 2006 FIRST Conference 10

  11. Under the Hood: RPIER Architecture June 29, 2006 RAPIER - 2006 FIRST Conference 11

  12. RPIER Requirements � Windows NT* based Operating System � Microsoft .NET* Framework 1.1+ � Microsoft WSH* (Windows Scripting Host) 5.6+ � Microsoft WMI* (Windows Management Interface) 1.5+ June 29, 2006 RAPIER - 2006 FIRST Conference 12

  13. Engine Operational Flow - Launch � Load RPIER.Conf file � Interpret command line options � Auto Update check (Optional) � Auto Update if necessary (Optional) � Restart EXE (if updated) � Load Modules � Display GUI (Optional) June 29, 2006 RAPIER - 2006 FIRST Conference 13

  14. Engine Operational Flow - Execute � Pre-Run Forensics Checkpoint (Optional) � Run Each Selected Module � Compress results (Optional) � Upload results (Optional) � Post-Run Forensics Checkpoint and Differential Analysis (Optional) � Send Email Notification (Optional) June 29, 2006 RAPIER - 2006 FIRST Conference 14

  15. RPIER Networking Uses the http (optionally https) protocol for all � communication Port is configurable (non-port 80 is recommended) � Webserver can be IIS or Apache on Windows � Multiple servers can be setup for redundancy/load balancing � Enables the following features: � RPIER distribution � Auto-update functionality � Auto-upload functionality � Central Results Repository � Central Documentation Resource � (Manual/Training/FAQ) Manual RPIER upload and non-RPIER upload � June 29, 2006 RAPIER - 2006 FIRST Conference 15

  16. Gathering Information RPIER Modules June 29, 2006 RAPIER - 2006 FIRST Conference 16

  17. RPIER Module Architecture � Based on VBScript � RPIER.vbi is a large library of VBScript functions to reference � Modules can have individual conf files to allow for end user configuration � Modules are stand alone � Can be added/removed at will � Allows for independent development/testing June 29, 2006 RAPIER - 2006 FIRST Conference 17

  18. Feature Module Output Volatile Information Static Information complete list of running processes System Name � � locations of those processes on disk System Startup Commands � � ports those processes are using Copies of application cache � � (temporary internet files) Net (start/share/user/file/session) � Uptime � Layer3 traffic samples � Local account and policy � Output from nbtstat and netstat � information Dump memory for all running � List of all files with alternate data � processes streams Checksums for all running � Capture list of services installed on � processes the system Capture last Modify/Access/Create � Discover files marked as hidden � times for designated areas Export entire registry � Document all open shares/exports � on system Current patches installed on system � All files that are currently open Current AV versions � � Capture current routing tables List of all installed software on � � system (known to registry) All DLLS currently loaded and their � checksum Capture all logs (system + � application specific) capture logged in users � MAC address � list of all network connections � Search/retrieve files based on � search criteria. June 29, 2006 RAPIER - 2006 FIRST Conference 18

  19. Output � Output is stored in directory path: SystemName\DATE\TIME\ � Format: ASCII text June 29, 2006 RAPIER - 2006 FIRST Conference 19

  20. How to Interpret the Results To teach you this would require several months (years?) of training and education in operating systems internals, hacking techniques, malware behavior, etc. Ultimately, the results must be reviewed by people with sufficient knowledge of your environment to be able to discern the odd from the routine. June 29, 2006 RAPIER - 2006 FIRST Conference 20

  21. Start Demo Here June 29, 2006 RAPIER - 2006 FIRST Conference 21

  22. Over the Horizon Where do we go from here? � Validate on VISTA � *NIX. Ask us after the talk... � More Modules! (of course) � Alternate output formats � Program to parse output for interesting results June 29, 2006 RAPIER - 2006 FIRST Conference 22

  23. Release of the Tool https://sourceforge.net/projects/rpier sourceforge.net/projects/rpier/ / https:// Build Notes: � Certain modules rely upon licensed software, or on tools we could not get permission to bundle with a GPL license. � We’ve made it as easy as possible – acquire these on your own and drop into Module folders to get them working. June 29, 2006 RAPIER - 2006 FIRST Conference 23

  24. Contributions & Feedback Have an idea for module? Have code ready to drop into a module we don’t already have? Have ideas how to improve it? Contact us: RPIER.securitytool@gmail.com RPIER.securitytool@gmail.com http://groups.google.com/group/rpier June 29, 2006 RAPIER - 2006 FIRST Conference 24

  25. Questions? June 29, 2006 RAPIER - 2006 FIRST Conference 25

  26. Caveat The opinions expressed in this presentation are those of the authors and may not reflect the opinions of our employer. June 29, 2006 RAPIER - 2006 FIRST Conference 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

14.8 No student shall attempt to contact examiners or potential examiners concerning the

14.8 No student shall attempt to contact examiners or potential examiners concerning the

14.8 No student shall attempt to contact examiners or potential examiners concerning the examination or concerning any matter which could affect the examination. 14.9 After successful completion of all stages of the examination an electronic copy

287 views • 4 slides
Incident Cause Analysis Method (ICAM) Report LDVs HEAD ON COLLISION POINTS OF DISCUSSION

Incident Cause Analysis Method (ICAM) Report LDVs HEAD ON COLLISION POINTS OF DISCUSSION

Incident Cause Analysis Method (ICAM) Report LDVs HEAD ON COLLISION POINTS OF DISCUSSION Incident information Incident description Incident Scene Sequence of events Failure analysis Root cause process flow Key

452 views • 12 slides
Should I Worry? A Cross-Cultural Examination of Account Security Incident Response Elissa

Should I Worry? A Cross-Cultural Examination of Account Security Incident Response Elissa

Should I Worry? A Cross-Cultural Examination of Account Security Incident Response Elissa M. Redmiles @eredmil1 eredmiles@cs.umd.edu How do users respond when their accounts are attacked? Elissa M. Redmiles 2 Cross cultural interview

426 views • 25 slides
Special Examination Report released August 28, 2019. The special examination looked at all

Special Examination Report released August 28, 2019. The special examination looked at all

Retirement Systems in Kentucky Special Examination Report released August 28, 2019. The special examination looked at all three Kentucky retirement systems: KRS, TRS and JFRS. In 2017, the General Assembly unanimously passed Senate

286 views • 17 slides
Behavior through Data: Behavior Incident Report System Myrna Veguilla Lise Fox University of

Behavior through Data: Behavior Incident Report System Myrna Veguilla Lise Fox University of

Addressing Challenging Behavior through Data: Behavior Incident Report System Myrna Veguilla Lise Fox University of South Florida Agenda Introduction to the Behavior Incident Report System BIRS Excel Spreadsheet Questions Our goal is

863 views • 31 slides
RANDY G. FISCHER Discusses potential characteristics of an active shooter Potential warning

RANDY G. FISCHER Discusses potential characteristics of an active shooter Potential warning

RANDY G. FISCHER Discusses potential characteristics of an active shooter Potential warning signs for an active shooter Strategies for surviving an incident Law Enforcements response to an active shooter incident Incidents of Active Shooters

745 views • 35 slides
Exam Presentation Policy Purpose Examination programmes are a serious matter with potential

Exam Presentation Policy Purpose Examination programmes are a serious matter with potential

Exam Presentation Policy Purpose Examination programmes are a serious matter with potential influence and repercussions not only for individual children, but upon the whole school. It is therefore vital that this is recognised by policy with

147 views • 3 slides
Incident/Accident Prevention Program Training Objectives: At the end of the session, team members

Incident/Accident Prevention Program Training Objectives: At the end of the session, team members

Incident/Accident Prevention Program Training Objectives: At the end of the session, team members should be familiar with: Building Effective Safety Incident Prevention Teams Accident Report Policy Fit for Duty Incident Scenarios

684 views • 22 slides
AGGRESSIVE DOG REGULATIONS AND INCIDENT REPORT PART II - SHOW 14.10 (a) It is the obligation

AGGRESSIVE DOG REGULATIONS AND INCIDENT REPORT PART II - SHOW 14.10 (a) It is the obligation

AGGRESSIVE DOG REGULATIONS AND INCIDENT REPORT PART II - SHOW 14.10 (a) It is the obligation of each owner, exhibitor and handler at a show to take all such steps as may be necessary to ensure that any dog under that person's care or control

554 views • 23 slides
THE EXAMINATION BOARD INFORMATION ABOUT THE EXAMINATION BOARD Luuk Schoenmakers, LLM, MSc

THE EXAMINATION BOARD INFORMATION ABOUT THE EXAMINATION BOARD Luuk Schoenmakers, LLM, MSc

THE EXAMINATION BOARD INFORMATION ABOUT THE EXAMINATION BOARD Luuk Schoenmakers, LLM, MSc Chairman examination board SM&O/ISMB 1 CONTENT What is the examination board? What is the TER? BSA first year Fraud/plagiarism 2

459 views • 15 slides
August 25, 2011 Purpose of Report Concluding a CDC calendar year Report on activities

August 25, 2011 Purpose of Report Concluding a CDC calendar year Report on activities

Report Presented by --Healthy Hawai`i Initiative August 25, 2011 Purpose of Report Concluding a CDC calendar year Report on activities conducted and data collected -Potential to serve as model for other communities -Potential to receive

756 views • 42 slides
Excellence Academics Spirit Tradition Deans Office Reasons to Visit Report an incident -

Excellence Academics Spirit Tradition Deans Office Reasons to Visit Report an incident -

2018-2019 Dean Welcome to Oswego East and the Wolf Pack! Excellence Academics Spirit Tradition Deans Office Reasons to Visit Report an incident - seek help Obtain a parking permit Acquire a new ID ($5) / Student Planner / String

362 views • 25 slides
Natural Gas in the United States Report of the Potential Gas Committee (December 31, 2012)

Natural Gas in the United States Report of the Potential Gas Committee (December 31, 2012)

Potential Supply of Natural Gas in the United States Report of the Potential Gas Committee (December 31, 2012) Washington, D.C. April 9, 2013 Potential Gas Committee 100 Volunteer geoscientists & petroleum engineers Biennial

189 views • 16 slides
STATUS REPORT R E G I O N A L C O U N C I L PRESENTED BY CHIEF CHRIS MCCORD Framework

STATUS REPORT R E G I O N A L C O U N C I L PRESENTED BY CHIEF CHRIS MCCORD Framework

PEEL REGIONAL POLICE STATUS REPORT R E G I O N A L C O U N C I L PRESENTED BY CHIEF CHRIS MCCORD Framework ADIPICSING ELIT Critical and Non-critical Incident Response Mitigating Situations of Elevated Risk INCIDENT RESPONSE Proactively

198 views • 19 slides
The High-Yield Examination Approach Neurologic Examination Two types of neurologic

The High-Yield Examination Approach Neurologic Examination Two types of neurologic

3/15/2016 The High-Yield Examination Approach Neurologic Examination Two types of neurologic examinations 1. Screening Examination 2. Testing Hypotheses Select high-yield tests and techniques S. Andrew Josephson MD Carmen

308 views • 11 slides
Incident Action Planning in the EOC GGC NHC 2018 GGC NHC 2018 Incident Action Planning EOC

Incident Action Planning in the EOC GGC NHC 2018 GGC NHC 2018 Incident Action Planning EOC

Incident Action Planning in the EOC GGC NHC 2018 GGC NHC 2018 Incident Action Planning EOC plans are typically more strategic than field IAPs A planning process helps synchronize operations and ensure they support incident objectives

510 views • 34 slides
From Last Time What makes a Smart Community Right info, right time Services that

From Last Time What makes a Smart Community Right info, right time Services that

From Last Time What makes a Smart Community Right info, right time Services that citizens use easily Interoperability Innovation right for community Governanceformal or lose -knit Roles of Technology Link

417 views • 9 slides
Optimal Portfolio Under Worst-Case Scenarios Carole Bernard (UW), Jit Seng Chen (UW) and Steven

Optimal Portfolio Under Worst-Case Scenarios Carole Bernard (UW), Jit Seng Chen (UW) and Steven

Optimal Portfolio Under Worst-Case Scenarios Carole Bernard (UW), Jit Seng Chen (UW) and Steven Vanduffel (Vrije Universiteit Brussel) Samos, June 2012. Carole Bernard Optimal Portfolio 1/20 Introduction Diversification Strategies Tail

406 views • 23 slides
Creating Planning Portfolios with Predictive Models Defense March 23, 2017 Isabel Cenamor

Creating Planning Portfolios with Predictive Models Defense March 23, 2017 Isabel Cenamor

Creating Planning Portfolios with Predictive Models Defense March 23, 2017 Isabel Cenamor icenamor@inf.uc3m.es Advisors: Toms de la Rosa and Fernando Fernndez Departamento de Informtica Outline 1 1. Introduction 2. State-of-the-art

1.12k views • 73 slides
Portfolio Composition Dakota Wixom Quantitative Analyst | QuantCourse.com DataCamp Introduction

Portfolio Composition Dakota Wixom Quantitative Analyst | QuantCourse.com DataCamp Introduction

DataCamp Introduction to Portfolio Risk Management in Python INTRODUCTION TO PORTFOLIO RISK MANAGEMENT IN PYTHON Portfolio Composition Dakota Wixom Quantitative Analyst | QuantCourse.com DataCamp Introduction to Portfolio Risk Management in

693 views • 34 slides
Linear Regression An Error Function: Least Squared Error } For a chosen set of weights, w , we can

Linear Regression An Error Function: Least Squared Error } For a chosen set of weights, w , we can

The General Learning Problem } We want to learn functions from inputs to outputs, where each input has n features: Inputs h x 1 , x 2 , . . . , x n i , with each feature x i from domain X i . Outputs y from domain Y . Function to learn: f : X 1

618 views • 7 slides
Pov over erty ty in in Sea Seattle: ttle: What the 2014 American Community Survey Data T

Pov over erty ty in in Sea Seattle: ttle: What the 2014 American Community Survey Data T

Pov over erty ty in in Sea Seattle: ttle: What the 2014 American Community Survey Data T ells Us Gene e Balk alk The e Seat attle le Times mes Prep epared ed for WCPCs Cs 2015 Pover erty y Summit mmit Univ iver ersity

605 views • 14 slides
State and Local Data Impacting Self Sufficiency for Hoosiers Jessica Fraser, Director, Indiana

State and Local Data Impacting Self Sufficiency for Hoosiers Jessica Fraser, Director, Indiana

State and Local Data Impacting Self Sufficiency for Hoosiers Jessica Fraser, Director, Indiana Institute for Working Families Good Good New News: Poverty decreased from 14.1% in 2016 to 13.5% in 2017 Bad Bad New News: Poverty is still higher

357 views • 18 slides
Our Community in the Bronx and lower Westchester County Economic Indicators Race/ethnicity

Our Community in the Bronx and lower Westchester County Economic Indicators Race/ethnicity

Our Community in the Bronx and lower Westchester County Economic Indicators Race/ethnicity 30% live at or below the poverty line - 50% Hispanic (Dominican Republic, Puerto Rico) 40% of children are at or below poverty - 35% Black or

337 views • 4 slides

More recommend