Saturday, August 30, 2008

RegRipper News and Mentions

I'm never really sure who's using RegRipper and how they're using it, or how they'd like to use it. However, getting input or feedback from the folks using it inevitably leads to making RegRipper a better tool.

James E. Martin mentioned RegRipper in his Detection of Data Hiding in Computer Forensics presentation. In the presentation, Mr. Martin demonstrated the use of RegRipper to extract USB device information from a System hive file.

I was recently discussing the issue of presenting USB data from multiple systems in an easy-to-view and -manage manner using RegRipper with another examiner. RR is a GUI tool that parses one file at a time...however, rip.exe comes along with it (another user recently contacted me and informed me that he made a couple of minor modifications and now runs rip.pl on Linux) and is a command line interface (CLI) tool that is easy to automate via a batch file. In order to provide something useful to the examiner, I opened up the usbstor.pl plugin, and within minutes made some minor modifications so that the output was .csv format. I then added the code from the mountdev.pl plugin to map USB removeable storage devices to a drive letter, if the information is available. Finally, I added the code from the compname.pl plugin to extract the name of the system from the System hive file...if you're running this across multiple hive files, you will need a way to differentiate the various systems in your output.

So, the resulting plugin, which took all of maybe 30 minutes to create, tweak and test can be run via rip.exe like so:

C:\Perl\forensics\rr>rip -r d:\cases\system -p usbstor2

The output for this System hive file looks like:

PETER,Disk&Ven_&Prod_USB_DISK&Rev_1.13,0738015025AC&0,
1127776426,USB DISK USB Device,
7&2713a8a1&0,\DosDevices\E:


So, the output is:

- System name
- Device class ID
- Serial Number
- LastWrite time from the unique ID key, 'normalized' to Unix time
- The "FriendlyName" value from the unique ID key
- The ParentIdPrefix value, if available
- The DosDevice listed in the MountedDevices key, if the ParentIdPrefix value exists

So, to run this against multiple System hive files, simply create a batch file that contains lines that look like this:

C:\Perl\forensics\rr>rip -r System -p usbstor2 >> usbstor.csv

Once you run this, the usbstor.csv file can be opened in Excel and you can quickly and easily determine devices that were connected to multiple systems, etc.

This just shows you how easy-to-use and flexible this tool set is. To see even more, don't miss the SANS Forensic Summit, where I'll be discussing Registry analysis and demonstrating these tools, as well as something else very special!

9 comments:

Anonymous said...

Harlan, will you be distributing this new plug-ins as you create them? This one in particular. Seems I’m getting much work related to USB devices lately. The easier to read and dissect the better. Regards, Brian.

Keydet89 said...

Brian,

I need to find an efficient way of doing so...any suggestions?

Anonymous said...

Can u set up an FTP site for us to access?

Keydet89 said...

Love to...know of anyway to do that?

hogfly said...

Doesn't Sourceforge have cvs branches you can use?

Keydet89 said...

Hogfly...not sure, but to be honest, SF isn't the easiest to use.

Maybe the way to do it is to create different packages just for the plugins themselves, and upload those each month (unless there are no updates...many of the updates I've done come from input from the field...)

Keydet89 said...

For speed of posting, as well as posting small files (plugins) frequently, what do you think of the Win4N6 Group on Yahoo?

Anonymous said...

Are you able to upload them into this blog so we can download them via http ?

Keydet89 said...

Anonymous,

I can link to things, but so far, I can only upload images...