tag:blogger.com,1999:blog-9518042.post8889794637899245339..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: RegRipper.net?Unknownnoreply@blogger.comBlogger11125tag:blogger.com,1999:blog-9518042.post-11726793526708182222008-09-14T08:33:00.000-05:002008-09-14T08:33:00.000-05:00Man that's awesome, just what I was hoping for. T...Man that's awesome, just what I was hoping for. Thanks, Harlan!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-15145217921587929692008-09-14T05:36:00.000-05:002008-09-14T05:36:00.000-05:00Can RegRipper show keys that have been modified du...<I>Can RegRipper show keys that have been modified during a certain time?</I><BR/><BR/>RegRipper has a plugin called regtime.pl...the header of the plugin (text-based) includes the following:<BR/><BR/># Plugin for Registry Ripper; traverses through a Registry <BR/># hive file, pulling out keys and their LastWrite times, and<BR/># then listing them in order, sorted by the most recent time<BR/># first - works with any Registry hive file.<BR/><BR/>The short description, dumped by "rip.exe -l", reads:<BR/><BR/>"Dumps entire hive, all keys sorted by LastWrite time"<BR/><BR/>This plugin can be launched standalone by rip.exe, or as the plugin file "All" (NOTE: This plugin file refers to the fact that the plugins listed in it can be run against *all* hive files...they don't search for any specific keys.)<BR/><BR/>The services.pl plugin will do the same thing for the services listed in the System hive.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-23186814643074574262008-09-13T15:53:00.000-05:002008-09-13T15:53:00.000-05:00I haven't gotten to try out RegRipper yet, so sorr...I haven't gotten to try out RegRipper yet, so sorry if it's a dumb question...<BR/><BR/>Can RegRipper show keys that have been modified during a certain time?<BR/><BR/>There are good keys of interest that RegRipper searches for, but if you go by just what you think is interesting, you could probably miss other things.<BR/><BR/>For example if you enumerate autostart locations in the registry you might miss one you didn't know about. If you find malware set to run on boot, it would be beneficial to step back and look at all other keys that were modified during that time.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-17711082576054306042008-09-11T11:59:00.000-05:002008-09-11T11:59:00.000-05:00This is fantastic. I look forward to downloading n...This is fantastic. I look forward to downloading new plugins as they become available. I now use regripper as part of my standard procedures for certain pieces of information, especially when it comes to USB devices.<BR/><BR/>BrianAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-92223886303924210022008-09-11T08:18:00.000-05:002008-09-11T08:18:00.000-05:00Beth,I wanted to follow up on your comment...When ...Beth,<BR/><BR/>I wanted to follow up on your comment...<BR/><BR/>When I sat down to write the first iteration of RegRipper, the power I saw in it was in RegRipper's ability to quickly extract and even correlate information from within the Registry...and comments I received about reducing days of tracing by hand through the Registry to minutes confirmed that.<BR/><BR/>The real power of RegRipper is realized in a community effort. I don't have visibility into everyone's analysis needs, only my own. I take requests from others and try to put a useful plugin together, as more than one person may have that need. However, I can only do that if I know about it. I mention this because recently I've been told by someone who endorses RegRipper to others that he's heard comments about how the output of RegRipper is formatted...and I haven't heard anything like that thus far.<BR/><BR/>As I've mentioned before, if there's a request, I'll happily consider it. A good solid description of the issue and a sample hive file helps a great deal. Also keep in mind that I'm not a dev shop...I'm just one guy.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-4217680352053085342008-09-11T07:45:00.000-05:002008-09-11T07:45:00.000-05:00Thanks so much for getting the site together, Bret...Thanks so much for getting the site together, Brett. Now I have an easy link to send to other people interested in RegRipper. I also like having a date as the app title so that I can make sure I have the latest update.<BR/><BR/>BethAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-71104028996756907272008-09-11T00:32:00.000-05:002008-09-11T00:32:00.000-05:00My versioning system is just keeping the site up f...My versioning system is just keeping the site up for Harlan. And thanks for the compliment KP.Brett Shavershttps://www.blogger.com/profile/08207321430604828713noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-27013456685396008612008-09-10T23:55:00.000-05:002008-09-10T23:55:00.000-05:00The site looks great, Brett.KPThe site looks great, Brett.<BR/>KPAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-49197210746799311052008-09-10T22:24:00.001-05:002008-09-10T22:24:00.001-05:00or rather, do you already?or rather, do you already?Jason Koppehttps://www.blogger.com/profile/10649074891135062829noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-76788586762753482842008-09-10T22:24:00.000-05:002008-09-10T22:24:00.000-05:00Coooooooool.Have you guys thought about using a ve...Coooooooool.<BR/><BR/>Have you guys thought about using a versioning system?Jason Koppehttps://www.blogger.com/profile/10649074891135062829noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-3849355880101437772008-09-10T21:57:00.000-05:002008-09-10T21:57:00.000-05:00And if anyone has questions, or suggestions (or he...And if anyone has questions, or suggestions (or heaven forbid, complaints...) about the website, let me know and I'll fix it ;)<BR/><BR/>BrettBrett Shavershttps://www.blogger.com/profile/08207321430604828713noreply@blogger.com