Home

Awesome

TAPIR

TAPIR (Trustable Artifacts Parser for Incident Response) is a multi-user, client/server, incident response framework based on the TAP project.

TAPIR is in beta and is not yet ready for production use, in this version SSL is not activated by default, and the local plugin can access any file on the server. We recommend using it on a local or private network, and to change the default API KEY on the config file or on the environment variable.

Download & installation

Debian/Ubuntu package & Windows binary are available here

To install in Debian or Ubuntu :

sudo dpkg -i tapir_0.1.0_amd64.deb 

Documentation

Building

To compile it you need to have cargo installed.

Then :

cargo build --release

The generated binary will be available in :

target/release/tapir

Build features

TAPIR build support different optional features :

To compile with feature, example with yara :

cargo build --release --features=yara

To compile with multiple features, example with yara and device

cargo build --release --features=yara,device

Building with integrated frontend using TAPIR-Workspace

TAPIR-Workspace is a git repository that include all available TAP repository as subproject.

You will also need to have installed : cargo & npm

git clone https://github.com/tap-ir/tapir-ws.git
cd tapir-ws
git submodule update --init --recursive
git submodule foreach git checkout main
cd tapir-frontend
npm install --legacy-peer-deps
npm run build
cd ..
TAPIR_FRONTEND_BUILD_PATH=$PWD/tapir-frontend/build  cargo run --release --features=frontend --bin tapir

The binary with the integrated frontend will be generated in target/release/tapir

Building with integrated frontend

Checkout TAPIR-Frontend in an other directory :

git clone https://github.com/tap-ir/tapir-frontend.git
cd tapir-frontend
npm install --legacy-peer-deps
npm run build

Go back to TAPIR directory and indicate the path to the TAPIR-Frontend directory in the TAPIR_FRONTEND_BUILD_PATH environment variable

TAPIR_FRONTEND_BUILD_PATH=path_to_tapir_frontend cargo build --release --features=frontend

Generating code documentation

To generate the developer documentation run :

cargo doc

Doc will be generated in target/doc/tapir

Running

Running from binary

To run TAPIR the configuration file tapir.toml should be in the same directory as the binary is run from

Running from TAPIR cloned repository

cargo run --release

Running with logging information

To display some logging information on the console the environment variable RUST_LOG must be set to warn or info depending of the level of information you want to be displayed.

On Linux or Mac OS X :

RUST_LOG=info ./tapir

Or if running from the source with cargo

RUST_LOG=info cargo run --release

Usage

USAGE:
    tapir [OPTIONS]

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information

OPTIONS:
    -a, --address <ADDRESS>    Listening address & port
    -c, --config <FILE>        Custom config file
    -k, --apikey <APIKEY>      API key
    -u, --upload <UPLOAD>      Path to the upload directory

To pass argument for tapir if running with cargo you must pass them after -- that end the cargo line of command.

cargo run --release --features=frontend --bin tapir -- --help

Configuration

You can pass the configuration for TAPIR with --config or -c argument. The configuration file look like this :

address = "0.0.0.0:3583"
upload = "./upload"
api_key = "key"

You can specifiy the addresse and port used by the server, the API key used to access the server, the directory where you want the file to be uploaded, and a directory from which file will be loaded by default.

This variable can also be configured in the environment :

TAPIR_ADDRESS : Listening address & port
TAPIR_UPLOAD : Path to the upload directory
TAPIR_APIKEY : API key

TAPIR will look first for an environment variable, then if not found for the variable in the config file, then for the default value.

The default value are :

config : "tapir.toml"
address : "127.0.0.1:3583"
upload : "./upload"
apikey : "key"

Plugins

TAPIR is part of the TAP project and the file type it support is the same as the tap project. (When new parser plugin is added to TAP TAPIR is updated to include the new plugins).

At time of writting this documentation this is the plugin included in TAPIR by default or via the features flag :

NameCategoryDescription
localInputLoad files or directory from the filesystem
exifMetadataExtract EXIF info from file
hashMetadataHash file attribute
s3InputLoad files from a s3 server
mergeUtilMerge files into one file
ntfsFile systemRead and parse NTFS filesystem
mftFile systemRead and parse MFT file
magicMetadataDetect magic and file data compatible with plugins
prefetchWindowsParse prefetch file
partitionVolumeParse MBR & GPT partition
lnkWindowsParse lnk file
evtxWindowsParse evtx file
registryWindowsParse registry file
clamavMalwareScan file content with ClamAV
deviceInputMount a device
yaraMalwareScan file content with Yara

Help

To discuss about the project and ask your questions join our Discord server !

License

The contents of this repository is available under GPLv3 license.