Tuesday, July 17, 2012

Thoughts on RegRipper Support

One of the things I've considered recently is taking a more active role in supporting RegRipper, particularly when it comes to plugins.

When I first released RegRipper in 2009 or so, my hope was that it would be completely supported by community.  For a while there, we saw some very interesting things being done, such as RegRipper being added as a viewer to EnCase.  Over the past year or so, largely thanks to the wonderful and greatly appreciated support of folks like Brett Shavers and Corey Harrell, RegRipper has sort of taken off.

From the beginning, I think that the message about RegRipper has been largely garbled, confused, or simply misunderstood.  As such, I'd like to change that.

When someone has wanted a plugin created or modified, I've only ever asked for two things...a concise description of what you're looking for, and a sample hive.  Now, over the past 3 or so years, I've received requests for plugins, accompanied by either a refusal to provide a sample hive, or the sample hive simply being absent.  For those of you who have provided a sample hive, you know that I have treated that information in the strictest confidence and wiped the hive or hives after usage.  In addition, rather then being subjected to a barrage of emails to get more information about what you are looking for, those of you who have provided sample hives have also received the requested plugin in very short order, often as quickly as within the hour.

One of the things I've tried to do is be responsive to the community regarding needs.  For example, I provided a means for listing available plugins as part of the CLI component of RegRipper (i.e., rip.pl/.exe).  As this is CLI, some folks wanted a GUI method for doing the same thing, so I wrote the Plugin Browser.  Even so, to this day, I get questions about the available plugins; I was recently asked if two plugins were available, one that was originally written almost 3 years ago, and one what I'd written two months ago.  

I'm not trying to call anyone out, but what I would like to know is, what is a better means for getting information out there and in the hands of those folks using RegRipper?

Recently, some confusion in the RegRipper message became very apparent to me, when information that another Perl script that I had released was a RegRipper plugin was shared across the community.  It turned out that, in fact, that script had nothing whatsoever to do with either RegRipper or the Registry.

Speaking of plugins, there are a number of folks who've taken it upon themselves to write RegRipper plugins of their own, and share them with the public, and for that, I salute you.  Would it be useful to have a testing and review mechanism, or at least identify the state (testing, dev, beta, final) of plugins?

Finally, I've written a good number of plugins myself that I haven't yet provided to the general public.  I have provided many of those plugins to a couple of folks within the community who I know would (and have) use them, and provide feedback.  In some cases, I haven't released the plugins because of the amount of confusion there seems to be with regards to what a plugin is and how it's used by RegRipper; i.e., as it's currently written, you can't just drop a plugin in the RegRipper plugins directory and have it run by RegRipper (or via rip.pl/.exe).  Some effort is required on the part of the analyst to include plugins in a profile in order to have it run by RegRipper.

As such, I've considered becoming more active in getting the message about RegRipper out to the DFIR community as a whole, and I'd like to know, from the folks who use RegRipper, how would we/I do a better job with RegRipper, as well as in supporting it?

9 comments:

John Bishop said...

Harlan, Thank for you the continued work on the regripper tool.

I didn't see you mention it. I and many others first learned about RegRipper though SANS courses taught by Rob Lee and Ovie Carroll. Honestly, if it wasn't in their material and advocated so much by them I doubt I would be using it. You should also thank SANS for highlighting the tool in their material.

H. Carvey said...

John,

While that wasn't the focus of the blog post, you're right...I do greatly appreciate the advocacy from all quarters within the DFIR community, and particularly from Rob, Ovie, and the SANS folks, in general.

That being said, would you have any thoughts or input regarding the questions from the blog post?

Thanks.

Brett Shavers said...

And now there is a wiki page on RegRipper :)

http://www.forensicswiki.org/wiki/Regripper

I feel that organizations such as SANS and others that teach digital forensics do a good job on showing how to incorporate RR into a common workflow.

If an analyst has a process already, using RR in that process is no more than minutes of additional effort that benefits the entire process by saving time in the entire examination.

It does take that additional effort to implement, but no more effort (probably less) than using any registry tool. Perhaps some YouTube videos showing 'how to', but they'd be really short videos...

Corey Harrell said...

Another individual who has done a ton of work helping support RegRipper is Francesco. He does all the heavy lifting for the RegRipper plugins download site.

One idea to make things a little easier for plugin development is to have a central area where people can request plugins. All they would need to do is submit their name, the reg key and/or values path, and why it is important to them. A central area would let the community see the requests and if someone wanted to take a shot at writing the plugin then they could. The RegRipper plugin site already has an area for people to submit known issues so maybe something similiar could be done for plugin requests.

While I'm on the topic about adding additional resources to the RR plugin site. How about adding a documentation section to the RR blog and RR plugin site (have them mirror each other)? This way if someone does up a tutorial about how to use RR to accomplish something then the documentation section can point them to where they can find it. The documentation you included with the RR download could even be linked to these documentation sections as well. It may make it easier for folks by pointing them to where certain documentation exists.

> Would it be useful to have a testing and review mechanism, or at least identify the state (testing, dev, beta, final) of plugins?

Yes to the testing and review mechanism since it can help catch issues early. I already mentioned it but yes again to the state since it will help keep track of plugins.

H. Carvey said...

Corey,

You're absolutely right...fpi does a lot for RegRipper, and I very much appreciate the effort that he's put forth with respect to supporting the tool.

... a central area where people can request plugins.

I've always had that...my email address. Are you saying that folks would be more likely to post a request publicly, than to ask for something quietly and discretely?

How about adding a documentation section to the RR blog and RR plugin site

I'm not sure I follow what you're getting at here. What documentation is missing?

Don't get me wrong...I think that there may be some opportunities here. However, from what I have seen, most folks seem to just load up RegRipper, run the GUI and click the button. The few folks such as yourself and fpi who go beyond that, and use rip.pl/.exe in batch files, don't seem to have an issue with documentation.

I think that the biggest issue with documentation is that it's not read. A bit ago, I was asked to provide a license with RegRipper. I did so, adding a license file to the RR v2.5 download...and have received emails asking me if RegRipper has a license, and if so, what is it? ;-)

Maybe I'm missing something. I am a member of several online lists, and I see more questions about RegRipper in the lists than I receive in my inbox, so maybe I'm missing the majority of the requests...I don't know. If there is an issue with the RegRipper documentation, I'd love to hear it so that we can address it.

Brett Shavers said...

I just went through the PDFs in the RegRipper zip files. Plenty of documentation. I did add them to the RR blog to make it even easier to access. And just in case there wasn't enough documentation on RegRipper, I used magic (Google...) and found quite a few things on the internet (videos, ppts, pdfs) on RegRipper. I added many of those to the RR blog under links.

I think Harlan is right. There may be some that run RegRipper and click 'go' without realizing documentation exists that describes the application. Most don't read manuals anyway, but I'd figure that if something isn't working as expected...read the documentation ;)

Anonymous said...

Completly off topic, however... What is the grand URL with this treasure of information? Where is RegRipper officialy hosted?

Brett Shavers said...

RegRipper is officially hosted on a Google Code site.

There is http://regripper.wordpress.com that has direct links to the Google Code sites (2 of them at this point).

Where ever RegRipper gets hosted for download, the links will be on http://regripper.wordpress.com in order to make it easy to find.

H. Carvey said...

Brett,

I can kind of see the point to Anonymous's post...anything more than one URL (like...well...two of them) leads to confusion. I've received emails in the past asking which "out of all of the URLs is the right one". When I asked which URLs they were referring to, they sent me the two.

So, I can totally see how things can be confusing if there is more than one link, even if we post to the Wordpress blog that you can use either one.