Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006
Mar 26, 2015
Intel® RPIER 3.1 User Training
Joe SchwendtSteve Mancini
7/31/2006
What is RPIER
• Rapid Assessment & Potential Incident Examination Report
• Designed to acquire commonly requested information and samples during an information security event, incident, or investigation
How is RPIER used
• Run on suspect machines in unaltered state• Collects potential malware samples loaded
into memory• Enumerates recent system changes• Reports basic system configuration• Exposes possible backdoors• Enables some recreation of events• Scans for known malware
RPIER System Requirements
• Windows NT based Operating System• Support x86, EM64T or IPF architectures• Must run from writable disk• Results Directory must be able to
accommodate the size of physical RAM x 1.5. Thus, if a machine has 2 GB of RAM, the Results directory must have 3 GB of free space (Only required for some modules)
RPIER’s GUI
Module Selection AreaModules can be selected individuallyTime to run and size of results for each module varies from machine to machine
RPIER’s GUI
Quick Select ScansFast Scan should run in approximately 10 minutesSlow Scan can take up to 2 hours
RPIER’s GUI
Online IndicatorTests connection to RPIER serverServer used for Version checking and Results Uploading
RPIER’s GUI
Description fieldAllows clear identification of reason for RPIER RunIncluded in notification email and RPIER.log within the results
RPIER’s GUI
Run RPIERRuns Forensic pre-check (optional)Executes all selected modulesAuto-ZIPs results (optional)Auto-uploads results (optional and requires online connection to server)Runs Forensic post-check (optional)
RPIER’s GUI
Help ContentsDisplays the RPIER Online Help file
RPIER’s GUI
Update VersionChecks to see if the local copy of RPIER requires updatingPrompts for updating if required
RPIER’s GUI
AboutDisplays the About screen with version information
RPIER’s GUI
RunPerforms same function as the Run RPIER Button
RPIER’s GUI
Open Results DirectoryOpens the results directory via Windows Explorer
RPIER’s GUI
Upload ResultsAllows for uploading results ZIP file at a later timeEnabled only when OnlineUseful for uploading results after having been Offline
RPIER’s GUI
Quick Select ScansClear All SelectionsFast Scan should run in approximately 10 minutesSlow Scan can take up to 2 hoursAll Scan can take over 3 hours and should only be enabled on special request
RPIER’s GUI
OptionsDisplays the Options Screen
RPIER’s GUI
Module DirectoryThe top level directory to find modulesShould not need to be changed save for a custom developed module setDefaults to the Modules directory where the RPIER.exe is located
RPIER’s GUI
Results DirectoryThe top level directory to output results toMust be writeableDefaults to the Results directory where the RPIER.exe is located
RPIER’s GUI
Auto-Zip ResultsResults directory is compressed using standard ZIP compressionEnabled by defaultTypically reduces results by a factor of 10 (150 MB of results becomes a 15 MB ZIP file)
RPIER’s GUI
Auto-Upload ResultsResults ZIP file is uploaded to the central RPIER results repositoryOnly enable-able if Auto-Zip is enabledOnly enable-able if OnlineIf Online, enabled by default
RPIER’s GUI
Zip FilenameName of the ZIP file that will be generated
RPIER’s GUI
Upload URLURL to upload the results toThis URL needs to be writable but not readable
RPIER’s GUI
Process PriorityAllows RPIER to run with higher or lower than normal process affinity settingsFacilitates running with low priority when launched silently down the wire
RPIER’s GUI
Forensic Integrity CheckEnables a pre and post snapshot of the registryEnables post run of MACMatch over the time it took to execute all of the modulesAdds ~10 minutes to the execution time
Installing RPIER
• RPIER is distributed as a ZIP file via http://rpier.sourceforge.net
• Unzip onto writable media of choice (USB Flash Drive, USB/Firewire External Hard Drive, Internal Hard Drive, etc.)
• Run RPIER.exe• If online, RPIER will automatically check to ensure it is
the latest version. The application features the ability to update itself from a secure source (SHA1 and MD5 checksum verified)
• Note: RPIER does not extend its footprint beyond the directory it is launched from unless otherwise specified in the options screen
Running RPIER
• Select the appropriate modules for the malware suspected• Click Run RPIER button• If Online when running RPIER, the results should be
automatically uploaded at the end of running the selected modules
• If Offline when running RPIER, you will need to later run RPIER when online and upload the results ZIP file.
• NOTE: RPIER is designed to collect volatile state information from the target system. Do not disconnect, shutdown, or alter the system state until after running RPIER unless directed to do so. This may alter the effectiveness of collecting malware samples.