Sunday, March 20, 2011

Using RegRipper

Sometimes I'll receive or see questions in a forum about RegRipper...does it to this, does it do that?  Sometimes I get the sense from these questions that there's tire-kicking going on, and that's fine...but I've always thought that it's been pretty clear what RegRipper does...what problem does it try to solve.

RegRipper is an open-source tool that allows the user (usually an analyst or responder) to extract specific information (keys, key LastWrite times, values, etc.) from the Registry.

As a side effect, RegRipper is also an excellent facility for retention of institutional knowledge.  Let's say an analyst finds something that she hasn't seen before through Registry analysis, as a result of 10 hours of dedicated analysis.  She can write a plugin, documenting everything, and then provide that plugin to other team members.  Now, without having her knowledge or expertise, or having spent that same 10 hours digging, everyone of the other analysts on her team can "find" and extract that same information.  Two years later, after some analysts have left and new ones have been hired, we have the same effect, again without the new analysts having to spend 10 or more hours to find the same thing.  And the data is extracted every time.

RegRipper is NOT a search tool, although there are plugins that will parse through binary data to retrieve information that would not be found via any of the usual search tools.  You can program the ability to do some searching into a plugin, sure...but RegRipper is not a tool you would use to perform general searches of Registry hives.

Below are some of the more popular questions I get:

Does RegRipper work with Windows 7?

This is one of those questions that I'm not sure I know how to answer.  If I say, "yes", I'm afraid that there's an expectation that every possible plugin for Windows 7 that could ever be written has been written and is included with the distribution.  If I say, "yes, but...", anything after the comma will get lost, and we're back at the last answer.

The fact of the matter is that RegRipper works with all versions of Windows from NT up through and including Windows 7.  I've used it on everything from Windows 2000 through XP and on to Vista and Windows 7 systems.  It works because the Registry structure, on a binary and data structure level, remains the same across all versions.  Where things go haywire a bit is when a key or value has been added, moved or deleted...which happens quite often between Windows versions.

So, the long answer is that yes, RegRipper works on Windows 7, but the caveat is that it must have the plugin for the data in which you're interested.

Sometimes, the above question is more often asked as, Why doesn't RegRipper do X?  The answer to that is usually, Because you haven't written the plugin yet, my friend.  ;-)  Folks, RegRipper is open-source, and free.  It comes with a great deal of documentation on how to use it.  For example, if you want to know what rip.exe can do, just type "rip -?" or "rip -h" at the command prompt.

Does RegRipper do X?

Much like Nessus, RegRipper is an engine that runs plugins.  If you want it to do something, you can make it do it.  The tool is open source, and is written in Perl. 

One of the tools I included with RegRipper is "rip", either with the .pl or .exe extension, which is simply the command line version of RegRipper.  Rip has some cool features.  For example, you can run either single plugins or entire profiles from the command line, and capture the information to files using DOS redirection.  The output from rip goes to STDERR and STDOUT, so use the appropriate redirection to capture everything.

If you want to know what plugins you have, use rip -l -c > plugins.csv, and open the resulting file in Excel.  When the Registry forensics book was released, I included a GUI tool called "Plugin Browser" that lets you browse through the plugins one at a time.

Can you make RegRipper do X?

Yes.  And so can you.  RegRipper is open-source, based on Perl.  There's very little in the way of a "proprietary" API...in fact, there isn't any at all.  RegRipper encapsulates some regular Perl APIs, such as the print() function, but that's it...it's just encapsulated.  RegRipper is based on the Parse::Win32Registry module by James McFarlane, which is easily installed into ActiveState Perl using the Perl Package Manager (PPM).

Need some help?  No problem.  There are a number of plugins available, and you can open any of these in an editor (or even NotePad) and use them as a basis.  In fact, this is exactly how I do it.

If you need even more help, and would like me to write a plugin for you, all I need is a clear, concise description of what you want, and a sample hive that contains the data.  That's it.  If you give me those, and I have the time available, I can usually turn around a working plugin in very short order.

If you have any questions, or don't understand something, the best thing to do is ask.  RegRipper is a powerful and very useful tool...I'm not saying this because I wrote it; I'm saying it because I wrote it and use it on every engagement.  I use RegRipper to look at specific keys and values to provide insight into the system under analysis, as well as provide some context about the engagement overall.  I also use it locate malware that wasn't detected by AV.  I've use RegRipper to catalogue new intrusion artifacts, as well as demonstrate that a user account was used to view (or in one instance, not view) specific files.

If you're using RegRipper, a new distribution of plugins (not so much new plugins as more...) was included along with Windows Registry Forensics, as well as online.  I've updated a couple of the plugins, added a few more, and Brett's provided others via RegRipper.net.

1 comment:

Daniel said...

Maybe people are just too lazy to try and would prefer to waste your time instead of theirs.

It's a pity really, as you have already put time into creating this program and many other contributions towards the field of digital forensics.

They could at least contribute a little by trying it first and bothering you less with trivial questions.