Sunday, December 20, 2009

Using RegRipper

Now and again, I get stories from folks who've used RegRipper or the accompanying tools (rip, ripXP) to meet their needs. When that happens, many times I'll ask if I can post their experience and as in this case, I received the "OK":

I would like to share with you the experience of a recent engagement I have done where RegRipper proved very useful. I had to analyze 4 systems and the number of user profiles in each system varied from 6 to 15. For a system I extracted the relevant hive files, renamed them to "username_NTUSER.DAT" and dumped them in one folder. What I wanted was a certain kind of user activity like typed URL, programs opened etc. by all users (on that system) in one file so that I can I can scroll through the file and get a good idea about what happened on that system i.e. what programs have been executed on the sytsem and if I find something interesting then which username does it correspond to.

First I tried using rip.exe with shell wildcard character "*" but I guess RegRipper does not support that. So I wrote a simple perl script and pointed it to the folder where all the NTUSER.DAT files were located. The script ran a particular plugin against all the hive files and then dumped the output to one file. It also added the name of the file before its output to keep track of which username the activity belongs to.

My goal is that the new version of RegRipper will obviate the need to do this sort of thing...that all you'll have to do is mount the image read-only (tools abound for this...), point RegRipper at the mounted image, and let it go.

However, in the meantime, this is one way to handle this sort of issue. No, rip.exe doesn't handle wildcards...sorry about that, but to be honest, I simply cannot keep up with everything people are going to try to do with the tools, and say ahead of time what they will and will not do. More on that later.

Writing a Perl script or a simple batch file is exactly what rip.exe was intended for! I use rip when testing plugins, and ripXP is built on that same functionality. This is also a great example of how automating a previously manual process saves time and effort, without sacrificing accuracy. In fact, accuracy and completeness are maintained, while reducing the resources it takes to perform certain tasks, making the overall analysis much more efficient.

Finally, a reminder to the community...tools like RegRipper are pretty much written in isolation. That is, I originally wrote the tools to meet my own needs, and I update them for the same purpose. Now and again, I do get submissions for improvements, and those get added, depending upon the design requirements. As one guy, I can only do so much. I've said over and over again, if there's a plugin you're interested in, send me a concise description of what you're looking for and a sample hive (emphasis added on "and" because it's not a matter of one or the other). In cases what folks have done this, I've been able to turn around the plugin fairly quickly.

Also, hives with "interesting" stuff are always a nice stocking stuffer, even all year 'round! ;-)

Addendum: I wanted to add a comment I received from David Kovar:

My primary purpose is to get a quick snapshot of how the system was used, but I'll often come back to the report to help guide me in deciding where to go with my analysis. It probably is one of the most heavily used tools in my kit.

Thanks, David!

10 comments:

Anonymous said...

Interesting - here is my solution: I export all system registry files to a directory and each user NTUSER file to a subdirectory with the user's name to my case drive. I then run the following CMD from that directory passing that drive as a parameter:

@echo off
@echo jcRegRip.cmd
c:
cd \sectools\regripper
if exist %1system rip -r %1system -f system > %1RegRip.txt
if exist %1software rip -r %1software -f software >> %1RegRip.txt
if exist %1SAM rip -r %1SAM -f SAM >> %1RegRip.txt
for /d %%i in (%1*) do if exist %%i\ntuser.dat rip -r %%i\ntuser.dat -f ntuser >> %1RegRip.txt
%1
echo Finished!

PS> RegRip saves me hours!

H. Carvey said...

See...THAT'S how to use the tools you have at hand! Excellent work!

Claus said...

@ Cool tool, thought I would give you a heads up.

Remember the SANS-Forensics blog post: Flash Cookie Forensics ?

Nir Sofer (NirSoft) just released a new tool: FlashCookiesView v1.00

Not only does it display/export the list of Flash cookie files, you can also use it against an "off-lined" Windows system (if you know the path to feed it).

From the page description:

On Windows XP, the flash cookies are stored under C:\Documents and Settings\[Your Profile]\Application Data\Macromedia\Flash Player\#SharedObjects\[Random Name]\[Web Site Path]. On Windows 7/Vista, the flash cookies are stored under C:\Users\[Your Profile]\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\[Random Name]\[Web Site Path].

I can see quite a lot of handy uses for this as most of the tools I knew of all required them to be accessed from the "live" system via a browser and/or browser-plug-in.

Just thought you might like a tipoff to the utility.

Cheers!

--Claus V.

(BTW)--that batch file comment above is really cool! Got to add it to my incident response USB app folder collection!

Claus V.

Anonymous said...

Thanks Harlan. The FOR loop can't handle user names with spaces in, but if you change it to:

for /d %%i in (%1*) do if exist "%%i\ntuser.dat" rip -r "%%i\ntuser.dat" -f ntuser >> %1RegRip.txt

it works.

firefly said...

Hi Harlan - I'm wondering whether you're still active on this post. I've seen you're discussion some time ago regarding obtaining registry hives from a live desktop (internal investigation). You mentioned in the post open source tools is available to do this. Enut is great to obtain and bk reg. copies on your own logged on machine, and wra to carve and analyze the shellbags output. Any advice you might have or posts to refer to - tx?

H. Carvey said...

MvJ,

Some info about or a link to enut might be helpful...

firefly said...

Apologies(ERUNT:) - I found this link after on SANS in a previous discussion you were involved with:

http://blogs.sans.org/computer-forensics/2008/10/31/shellbags-registry-forensics/

ERUNT http://www.larshederer.homepage.t-online.de/erunt/

The challenge I have is to obtain these files remotely of a live machine; for the logged in user. I've tried using 'regripperPOC' with a local mapping of the drive as well.

Appreciated

H. Carvey said...

The challenge I have is to obtain these files remotely of a live machine; for the logged in user.

Have you tried F-Response?

I've tried using 'regripperPOC' with a local mapping of the drive as well.

What is "regripperPOC"?

firefly said...

Thanks for the F-Response head's up - currently looking at it as part of a proposal (options) for the office. It seems to be very cost effective - will do.

Regripper: With mapped network drive.

http://www.regripper.net/RR/RegRipper/RegRipperPOC.zip

Regards

H. Carvey said...

MvJ...

Ah, okay, gotcha. RegRipperPOC won't work in the manner you're attempting for fairly obvious reasons, which is why I recommended F-Response.