Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.

Slides:

Advertisements

Similar presentations

Administrator’s and User’s Guide for KillDisk

Advertisements

MAC OS X 10.5 Leopard. General requirements Mac computer with an Intel, PowerPC G5, or PowerPC G4 (867MHz or faster) processor Mac computer with an Intel,

Legal Meetings: Extended Instructions on Movica and Screencast.

17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.

Reuel A. Morales (Sr. Security Analyst, APAC-RTL) APAC RTL Clean Tool v5.0 Solution.

3/17 Dividend Street, Mansfield, 4122, Queensland, Australia phone: web: The SuperCycler A Software.

Virtual Machine Import and Export

Module 1: Installing Windows XP Professional

An End-User Perspective On Using NatQuery Building a Datawarehouse T

5-9/12/2005 CPE How to format your computer and re-install Windows XP.

2.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 2: Installing Windows Server.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 14 Server and Network Monitoring.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

Building a Deployment The following screens demonstrate how to: 1. Create a new OpenHRE™ tailor-made deployment using a remote (sample) deployment Standard.

Administrative Functions Certiport Offline Learning System 2.1 Administrative Functions © Certiport, Inc All Rights Reserved.

Hands-On Microsoft Windows Server 2008 Chapter 11 Server and Network Monitoring.

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Welcome To. Improving Remote File Transfer Speeds By The Solution For: %

Drivers Station 2010 Joe Ross Team /12/2009.

IT FORUM March 23, 2010 RoyalDrive Tony Gazoo Applications Administrator IT Development & Applications.

Digital Logic and State Machine Design Installing Xilinx WebPACK 12.4 CS 2204 Digital Hardware.

Installing and Using Relay Recorder. System Requirements for Windows Microsoft Windows 7 [32-bit or 64-bit] or Windows 8 Internal or external microphone.

How to discover ephemeral evidence with Live RAM analysis.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Thrive Installation.

Hands-On Microsoft Windows Server 2008

Tutorial 11 Installing, Updating, and Configuring Software

Hands-On Virtual Computing

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Please Note: Information contained in this document is considered LENOVO CONFIDENTIAL For Lenovo Internal Use Only Do Not Copy or Distribute!! For Lenovo.

Maintaining File Services. Shadow Copies of Shared Folders Automatically retains copies of files on a server from specific points in time Prevents administrators.

Network Management Tool Amy Auburger. 2 Product Overview Made by Ipswitch Affordable alternative to expensive & complicated Network Management Systems.

Chapter 2 Working with Disks and Other Removable Media 2.

Implementing Hyper-V®

TATA Motors Limited Commercial Vehicles Business Unit TML CVBU eLearning Application Installation Guide for application installer and update patches.

Computer Emergency Notification System (CENS)

Module 1: Installing Microsoft Windows XP Professional.

Module 3 Configuring File Access and Printers on Windows ® 7 Clients.

Module 3 Configuring File Access and Printers on Windows 7 Clients.

Module 3: Configuring File Access and Printers on Windows 7 Clients

1 Copyright © 2015 Pexus LLC Patriot PS Personal Server Installing Patriot PS ISO Image on.

Your Digital Technology Briefcase My information…when and where I need it.

1 Computer Maintenance Software Configuration: Evaluating Software Packages, Software Licensing, and Computer Protection through the Installation and Maintenance.

Technology Requirements for Online Testing Training Module Copyright © 2014 American Institutes for Research. All rights reserved.

Module 12: Configuring and Managing Storage Technologies

2007 TAX YEARERO TRAINING - MODULE 61 ERO (Transmitter) Training Module 6 Federal and State Installation and Updates.

VirtualBox: How to create a Linux Virtual Machine.

Page 1 of 38 Lenovo Confidential Lenovo Confidential Lenovo Confidential Lenovo Confidential Lenovo Confidential Please Note: Information contained in.

Automating Installations by Using the Microsoft Windows 2000 Setup Manager Create setup scripts simply and easily. Create and modify answer files and UDFs.

Virtual Machines Module 2. Objectives Define virtual machine Define common terminology Identify advantages and disadvantages Determine what software is.

Summative Assessment Welcome We will wait a few minutes for participants to log on and call in. –Call in: –Pass code: *6 to.

Active-HDL Server Farm Course 11. All materials updated on: September 30, 2004 Outline 1.Introduction 2.Advantages 3.Requirements 4.Installation 5.Architecture.

Technology Requirements for Online Testing Training Module Copyright © 2014 American Institutes for Research. All rights reserved.

CACI Proprietary Information | Date 1 PD² v4.2 Increment 2 SR13 and FPDS Engine v3.5 Database Upgrade Name: Semarria Rosemond Title: Systems Analyst, Lead.

9 Copyright © 2004, Oracle. All rights reserved. Getting Started with Oracle Migration Workbench.

1 Remote Installation Service Windows 2003 Server Prof. Abdul Hameed.

Computer Maintenance Software Configuration: Evaluating Software Packages, Software Licensing, and Computer Protection through the Installation and Maintenance.

© 2002, Cisco Systems, Inc. All rights reserved.

Create setup scripts simply and easily.

Chapter 2: System Structures

BASICS 1 Windows XP.

Computer Maintenance Software Configuration: Evaluating Software Packages, Software Licensing, and Computer Protection through the Installation and Maintenance.

HC Hyper-V Module GUI Portal VPS Templates Web Console

TERMS AND CONDITIONS These PowerPoint slides are a tool for lecturers, and as such: YOU MAY add content to the slides, delete content from the slides,

Presentation transcript:

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006

What is RPIER Rapid Assessment & Potential Incident Examination Report Designed to acquire commonly requested information and samples during an information security event, incident, or investigation

How is RPIER used Run on suspect machines in unaltered state Collects potential malware samples loaded into memory Enumerates recent system changes Reports basic system configuration Exposes possible backdoors Enables some recreation of events Scans for known malware

RPIER System Requirements Windows NT based Operating System Support x86, EM64T or IPF architectures Must run from writable disk Results Directory must be able to accommodate the size of physical RAM x 1.5. Thus, if a machine has 2 GB of RAM, the Results directory must have 3 GB of free space (Only required for some modules)

RPIERs GUI Module Selection Area Modules can be selected individually Time to run and size of results for each module varies from machine to machine

RPIERs GUI Quick Select Scans Fast Scan should run in approximately 10 minutes Slow Scan can take up to 2 hours

RPIERs GUI Online Indicator Tests connection to RPIER server Server used for Version checking and Results Uploading

RPIERs GUI Description field Allows clear identification of reason for RPIER Run Included in notification and RPIER.log within the results

RPIERs GUI Run RPIER Runs Forensic pre- check (optional) Executes all selected modules Auto-ZIPs results (optional) Auto-uploads results (optional and requires online connection to server) Runs Forensic post- check (optional)

RPIERs GUI Help Contents Displays the RPIER Online Help file

RPIERs GUI Update Version Checks to see if the local copy of RPIER requires updating Prompts for updating if required

RPIERs GUI About Displays the About screen with version information

RPIERs GUI Run Performs same function as the Run RPIER Button

RPIERs GUI Open Results Directory Opens the results directory via Windows Explorer

RPIERs GUI Upload Results Allows for uploading results ZIP file at a later time Enabled only when Online Useful for uploading results after having been Offline

RPIERs GUI Quick Select Scans Clear All Selections Fast Scan should run in approximately 10 minutes Slow Scan can take up to 2 hours All Scan can take over 3 hours and should only be enabled on special request

RPIERs GUI Options Displays the Options Screen

RPIERs GUI Module Directory The top level directory to find modules Should not need to be changed save for a custom developed module set Defaults to the Modules directory where the RPIER.exe is located

RPIERs GUI Results Directory The top level directory to output results to Must be writeable Defaults to the Results directory where the RPIER.exe is located

RPIERs GUI Auto-Zip Results Results directory is compressed using standard ZIP compression Enabled by default Typically reduces results by a factor of 10 (150 MB of results becomes a 15 MB ZIP file)

RPIERs GUI Auto-Upload Results Results ZIP file is uploaded to the central RPIER results repository Only enable-able if Auto-Zip is enabled Only enable-able if Online If Online, enabled by default

RPIERs GUI Zip Filename Name of the ZIP file that will be generated

RPIERs GUI Upload URL URL to upload the results to This URL needs to be writable but not readable

RPIERs GUI Process Priority Allows RPIER to run with higher or lower than normal process affinity settings Facilitates running with low priority when launched silently down the wire

RPIERs GUI Forensic Integrity Check Enables a pre and post snapshot of the registry Enables post run of MACMatch over the time it took to execute all of the modules Adds ~10 minutes to the execution time

Installing RPIER RPIER is distributed as a ZIP file via Unzip onto writable media of choice (USB Flash Drive, USB/Firewire External Hard Drive, Internal Hard Drive, etc.) Run RPIER.exe If online, RPIER will automatically check to ensure it is the latest version. The application features the ability to update itself from a secure source (SHA1 and MD5 checksum verified) Note: RPIER does not extend its footprint beyond the directory it is launched from unless otherwise specified in the options screen

Running RPIER Select the appropriate modules for the malware suspected Click Run RPIER button If Online when running RPIER, the results should be automatically uploaded at the end of running the selected modules If Offline when running RPIER, you will need to later run RPIER when online and upload the results ZIP file. NOTE: RPIER is designed to collect volatile state information from the target system. Do not disconnect, shutdown, or alter the system state until after running RPIER unless directed to do so. This may alter the effectiveness of collecting malware samples.