Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.

Intel® RPIER 3.1 User Training

Joe SchwendtSteve Mancini

7/31/2006

What is RPIER

• Rapid Assessment & Potential Incident Examination Report

• Designed to acquire commonly requested information and samples during an information security event, incident, or investigation

How is RPIER used

• Run on suspect machines in unaltered state• Collects potential malware samples loaded

into memory• Enumerates recent system changes• Reports basic system configuration• Exposes possible backdoors• Enables some recreation of events• Scans for known malware

RPIER System Requirements

• Windows NT based Operating System• Support x86, EM64T or IPF architectures• Must run from writable disk• Results Directory must be able to

accommodate the size of physical RAM x 1.5. Thus, if a machine has 2 GB of RAM, the Results directory must have 3 GB of free space (Only required for some modules)

RPIER’s GUI

Module Selection AreaModules can be selected individuallyTime to run and size of results for each module varies from machine to machine

RPIER’s GUI

Quick Select ScansFast Scan should run in approximately 10 minutesSlow Scan can take up to 2 hours

RPIER’s GUI

Online IndicatorTests connection to RPIER serverServer used for Version checking and Results Uploading

RPIER’s GUI

Description fieldAllows clear identification of reason for RPIER RunIncluded in notification email and RPIER.log within the results

RPIER’s GUI

Run RPIERRuns Forensic pre-check (optional)Executes all selected modulesAuto-ZIPs results (optional)Auto-uploads results (optional and requires online connection to server)Runs Forensic post-check (optional)

RPIER’s GUI

Help ContentsDisplays the RPIER Online Help file

RPIER’s GUI

Update VersionChecks to see if the local copy of RPIER requires updatingPrompts for updating if required

RPIER’s GUI

AboutDisplays the About screen with version information

RPIER’s GUI

RunPerforms same function as the Run RPIER Button

RPIER’s GUI

Open Results DirectoryOpens the results directory via Windows Explorer

RPIER’s GUI

Upload ResultsAllows for uploading results ZIP file at a later timeEnabled only when OnlineUseful for uploading results after having been Offline

RPIER’s GUI

Quick Select ScansClear All SelectionsFast Scan should run in approximately 10 minutesSlow Scan can take up to 2 hoursAll Scan can take over 3 hours and should only be enabled on special request

RPIER’s GUI

OptionsDisplays the Options Screen

RPIER’s GUI

Module DirectoryThe top level directory to find modulesShould not need to be changed save for a custom developed module setDefaults to the Modules directory where the RPIER.exe is located

RPIER’s GUI

Results DirectoryThe top level directory to output results toMust be writeableDefaults to the Results directory where the RPIER.exe is located

RPIER’s GUI

Auto-Zip ResultsResults directory is compressed using standard ZIP compressionEnabled by defaultTypically reduces results by a factor of 10 (150 MB of results becomes a 15 MB ZIP file)

RPIER’s GUI

Auto-Upload ResultsResults ZIP file is uploaded to the central RPIER results repositoryOnly enable-able if Auto-Zip is enabledOnly enable-able if OnlineIf Online, enabled by default

RPIER’s GUI

Zip FilenameName of the ZIP file that will be generated

RPIER’s GUI

Upload URLURL to upload the results toThis URL needs to be writable but not readable

RPIER’s GUI

Process PriorityAllows RPIER to run with higher or lower than normal process affinity settingsFacilitates running with low priority when launched silently down the wire

RPIER’s GUI

Forensic Integrity CheckEnables a pre and post snapshot of the registryEnables post run of MACMatch over the time it took to execute all of the modulesAdds ~10 minutes to the execution time

Installing RPIER

• RPIER is distributed as a ZIP file via http://rpier.sourceforge.net

• Unzip onto writable media of choice (USB Flash Drive, USB/Firewire External Hard Drive, Internal Hard Drive, etc.)

• Run RPIER.exe• If online, RPIER will automatically check to ensure it is

the latest version. The application features the ability to update itself from a secure source (SHA1 and MD5 checksum verified)

• Note: RPIER does not extend its footprint beyond the directory it is launched from unless otherwise specified in the options screen

Running RPIER

• Select the appropriate modules for the malware suspected• Click Run RPIER button• If Online when running RPIER, the results should be

automatically uploaded at the end of running the selected modules

• If Offline when running RPIER, you will need to later run RPIER when online and upload the results ZIP file.

• NOTE: RPIER is designed to collect volatile state information from the target system. Do not disconnect, shutdown, or alter the system state until after running RPIER unless directed to do so. This may alter the effectiveness of collecting malware samples.