Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.

Published byJulian Flanagan Modified over 10 years ago

Similar presentations

Presentation on theme: "Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006."— Presentation transcript:

1 Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006

2 What is RPIER Rapid Assessment & Potential Incident Examination Report Designed to acquire commonly requested information and samples during an information security event, incident, or investigation

3 How is RPIER used Run on suspect machines in unaltered state Collects potential malware samples loaded into memory Enumerates recent system changes Reports basic system configuration Exposes possible backdoors Enables some recreation of events Scans for known malware

4 RPIER System Requirements Windows NT based Operating System Support x86, EM64T or IPF architectures Must run from writable disk Results Directory must be able to accommodate the size of physical RAM x 1.5. Thus, if a machine has 2 GB of RAM, the Results directory must have 3 GB of free space (Only required for some modules)

5 RPIERs GUI Module Selection Area Modules can be selected individually Time to run and size of results for each module varies from machine to machine

6 RPIERs GUI Quick Select Scans Fast Scan should run in approximately 10 minutes Slow Scan can take up to 2 hours

7 RPIERs GUI Online Indicator Tests connection to RPIER server Server used for Version checking and Results Uploading

8 RPIERs GUI Description field Allows clear identification of reason for RPIER Run Included in notification email and RPIER.log within the results

9 RPIERs GUI Run RPIER Runs Forensic pre- check (optional) Executes all selected modules Auto-ZIPs results (optional) Auto-uploads results (optional and requires online connection to server) Runs Forensic post- check (optional)

10 RPIERs GUI Help Contents Displays the RPIER Online Help file

11 RPIERs GUI Update Version Checks to see if the local copy of RPIER requires updating Prompts for updating if required

12 RPIERs GUI About Displays the About screen with version information

13 RPIERs GUI Run Performs same function as the Run RPIER Button

14 RPIERs GUI Open Results Directory Opens the results directory via Windows Explorer

15 RPIERs GUI Upload Results Allows for uploading results ZIP file at a later time Enabled only when Online Useful for uploading results after having been Offline

16 RPIERs GUI Quick Select Scans Clear All Selections Fast Scan should run in approximately 10 minutes Slow Scan can take up to 2 hours All Scan can take over 3 hours and should only be enabled on special request

17 RPIERs GUI Options Displays the Options Screen

18 RPIERs GUI Module Directory The top level directory to find modules Should not need to be changed save for a custom developed module set Defaults to the Modules directory where the RPIER.exe is located

19 RPIERs GUI Results Directory The top level directory to output results to Must be writeable Defaults to the Results directory where the RPIER.exe is located

20 RPIERs GUI Auto-Zip Results Results directory is compressed using standard ZIP compression Enabled by default Typically reduces results by a factor of 10 (150 MB of results becomes a 15 MB ZIP file)

21 RPIERs GUI Auto-Upload Results Results ZIP file is uploaded to the central RPIER results repository Only enable-able if Auto-Zip is enabled Only enable-able if Online If Online, enabled by default

22 RPIERs GUI Zip Filename Name of the ZIP file that will be generated

23 RPIERs GUI Upload URL URL to upload the results to This URL needs to be writable but not readable

24 RPIERs GUI Process Priority Allows RPIER to run with higher or lower than normal process affinity settings Facilitates running with low priority when launched silently down the wire

25 RPIERs GUI Forensic Integrity Check Enables a pre and post snapshot of the registry Enables post run of MACMatch over the time it took to execute all of the modules Adds ~10 minutes to the execution time

26 Installing RPIER RPIER is distributed as a ZIP file via http://rpier.sourceforge.net http://rpier.sourceforge.net Unzip onto writable media of choice (USB Flash Drive, USB/Firewire External Hard Drive, Internal Hard Drive, etc.) Run RPIER.exe If online, RPIER will automatically check to ensure it is the latest version. The application features the ability to update itself from a secure source (SHA1 and MD5 checksum verified) Note: RPIER does not extend its footprint beyond the directory it is launched from unless otherwise specified in the options screen

27 Running RPIER Select the appropriate modules for the malware suspected Click Run RPIER button If Online when running RPIER, the results should be automatically uploaded at the end of running the selected modules If Offline when running RPIER, you will need to later run RPIER when online and upload the results ZIP file. NOTE: RPIER is designed to collect volatile state information from the target system. Do not disconnect, shutdown, or alter the system state until after running RPIER unless directed to do so. This may alter the effectiveness of collecting malware samples.

Download ppt "Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006."

Similar presentations

Administrator’s and User’s Guide for KillDisk

Administrator’s and User’s Guide for KillDisk
MAC OS X 10.5 Leopard. General requirements Mac computer with an Intel, PowerPC G5, or PowerPC G4 (867MHz or faster) processor Mac computer with an Intel,

MAC OS X 10.5 Leopard. General requirements Mac computer with an Intel, PowerPC G5, or PowerPC G4 (867MHz or faster) processor Mac computer with an Intel,
Legal Meetings: Extended Instructions on Movica and Screencast.

Legal Meetings: Extended Instructions on Movica and Screencast.
17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.

17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.
Reuel A. Morales (Sr. Security Analyst, APAC-RTL) 04.29.2008 APAC RTL Clean Tool v5.0 Solution.

Reuel A. Morales (Sr. Security Analyst, APAC-RTL) APAC RTL Clean Tool v5.0 Solution.
3/17 Dividend Street, Mansfield, 4122, Queensland, Australia phone: +61 7 3103 8560 web: The SuperCycler A Software.

3/17 Dividend Street, Mansfield, 4122, Queensland, Australia phone: web: The SuperCycler A Software.
Virtual Machine Import and Export

Virtual Machine Import and Export
Module 1: Installing Windows XP Professional

Module 1: Installing Windows XP Professional
An End-User Perspective On Using NatQuery Building a Datawarehouse www.natworks-inc.com T. 802 485 6112.

An End-User Perspective On Using NatQuery Building a Datawarehouse T
5-9/12/2005 CPE 101 1 How to format your computer and re-install Windows XP.

5-9/12/2005 CPE How to format your computer and re-install Windows XP.
2.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 2: Installing Windows Server.

2.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 2: Installing Windows Server.
14.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.

Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 14 Server and Network Monitoring.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 14 Server and Network Monitoring.
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Building a Deployment The following screens demonstrate how to: 1. Create a new OpenHRE™ tailor-made deployment using a remote (sample) deployment Standard.

Building a Deployment The following screens demonstrate how to: 1. Create a new OpenHRE™ tailor-made deployment using a remote (sample) deployment Standard.
Administrative Functions Certiport Offline Learning System 2.1 Administrative Functions © Certiport, Inc. 2008. All Rights Reserved.

Administrative Functions Certiport Offline Learning System 2.1 Administrative Functions © Certiport, Inc All Rights Reserved.

Similar presentations

Ads by Google