Wednesday, September 10, 2008

RegRipper.net?

What's that? RegRipper.net? Yes, that's right...RegRipper has its own web site now! Many thanks to Brett Shavers for taking the lead on setting this up. This mechanism is so much easier than using SF.net, particularly when all that needs to be posted is a small plugin.

The site provides some basic background info on RegRipper as well as a download site for the latest version and plugins.

So, check it out...this is going to be THE resource for RegRipper from here on out...

Addendum: I mentioned earlier that someone got rip.pl running on Linux...the Linux version of rip.pl is posted in a message in the Win4n6 Yahoo Group.

11 comments:

Brett said...

And if anyone has questions, or suggestions (or heaven forbid, complaints...) about the website, let me know and I'll fix it ;)

Brett

Jason Koppe said...

Coooooooool.

Have you guys thought about using a versioning system?

Jason Koppe said...

or rather, do you already?

kdpryor143 said...

The site looks great, Brett.
KP

Brett said...

My versioning system is just keeping the site up for Harlan. And thanks for the compliment KP.

Beth Whitney said...

Thanks so much for getting the site together, Brett. Now I have an easy link to send to other people interested in RegRipper. I also like having a date as the app title so that I can make sure I have the latest update.

Beth

Keydet89 said...

Beth,

I wanted to follow up on your comment...

When I sat down to write the first iteration of RegRipper, the power I saw in it was in RegRipper's ability to quickly extract and even correlate information from within the Registry...and comments I received about reducing days of tracing by hand through the Registry to minutes confirmed that.

The real power of RegRipper is realized in a community effort. I don't have visibility into everyone's analysis needs, only my own. I take requests from others and try to put a useful plugin together, as more than one person may have that need. However, I can only do that if I know about it. I mention this because recently I've been told by someone who endorses RegRipper to others that he's heard comments about how the output of RegRipper is formatted...and I haven't heard anything like that thus far.

As I've mentioned before, if there's a request, I'll happily consider it. A good solid description of the issue and a sample hive file helps a great deal. Also keep in mind that I'm not a dev shop...I'm just one guy.

Anonymous said...

This is fantastic. I look forward to downloading new plugins as they become available. I now use regripper as part of my standard procedures for certain pieces of information, especially when it comes to USB devices.

Brian

Anonymous said...

I haven't gotten to try out RegRipper yet, so sorry if it's a dumb question...

Can RegRipper show keys that have been modified during a certain time?

There are good keys of interest that RegRipper searches for, but if you go by just what you think is interesting, you could probably miss other things.

For example if you enumerate autostart locations in the registry you might miss one you didn't know about. If you find malware set to run on boot, it would be beneficial to step back and look at all other keys that were modified during that time.

Keydet89 said...

Can RegRipper show keys that have been modified during a certain time?

RegRipper has a plugin called regtime.pl...the header of the plugin (text-based) includes the following:

# Plugin for Registry Ripper; traverses through a Registry
# hive file, pulling out keys and their LastWrite times, and
# then listing them in order, sorted by the most recent time
# first - works with any Registry hive file.

The short description, dumped by "rip.exe -l", reads:

"Dumps entire hive, all keys sorted by LastWrite time"

This plugin can be launched standalone by rip.exe, or as the plugin file "All" (NOTE: This plugin file refers to the fact that the plugins listed in it can be run against *all* hive files...they don't search for any specific keys.)

The services.pl plugin will do the same thing for the services listed in the System hive.

Anonymous said...

Man that's awesome, just what I was hoping for. Thanks, Harlan!