RegRipper Plugin Updates

Pretty much everyone is aware by now that the full version of RegRipper is available on SF.net. I made a couple of minor updates to some of the plugins the other day (so you won't find these in the currently available distribution) that I wanted to mention briefly...

First, I updated the winnt_cv plugin so that the InstallDate value is converted to a readable time stamp, such as:

InstallDate : Fri Aug 31 15:21:10 2007 (UTC)

Much better than just spewing the DWORD data to the output, don't'cha think?

Second, after using RegRipper on some actual engagements recently, I decided that I wanted a plugin that would display information about the services in a shorter format so that its easier to read. The services plugin displays the following about services and drivers:

Name = SNMPTRAP
Display = @%SystemRoot%\system32\snmptrap.exe,-3
ImagePath = %SystemRoot%\System32\snmptrap.exe
Type = Own_Process
Start = Manual
Group =

The svc plugin (get it...shorter name, shorter format for the output??) displays the following about services:

Thu Nov 2 12:53:48 2006Z
Appinfo (%SystemRoot%\system32\svchost.exe -k netsvcs) [LocalSystem]

Thu Nov 2 12:53:38 2006Z
SessionEnv (%SystemRoot%\System32\svchost.exe -k netsvcs) [localSystem]

Thu Nov 2 12:53:22 2006Z
TrkWks (%SystemRoot%\System32\svchost.exe -k LocalSystem NetworkRestricted) [LocalSystem]

Thu Nov 2 12:53:11 2006Z
Dhcp (%SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted) [NT Authority\LocalService]

The svc plugin grabs much of the same information as the services plugin, but presents it in a shorter format, so that it's much easier to read at a glance. In addition, svc also grabs the ObjectName value (if available), which indicates the account that the service runs under.

For analysis purposes, I generally try to look for services and drivers that have a LastWrite time around the reported date of the incident, as this has indicated the use of keystroke loggers and kernel-mode rootkits.

What's also really sweet about this is that, as always, the plugins work great with rip.exe...check out the batch files that were included in the most recent distribution of RegRipper.

Two other items that are yet to be completed (currently in progress) with regards to RegRipper are:

1. Extraction of time-based data in a common format, for correlation with other sources of time-based data, and then display of that data using Timeline or some other visualization tool.

2. Development of a separate, standalone copy of rip.exe (to start, anyway) that will not only run a plugin or plugins file against a hive, but also against the appropriate hive files in XP System Restore Points (all automatically).

Thoughts? Just more RegRipper goodness...no hive files were harmed in the making of these tools or of this post...

RegRipper Update

I wanted to let folks know that I've posted the latest version of RegRipper to SF.net. The file you're looking for is "rr_2.02.zip".

There is no longer a break between the Basic and Advanced editions of RegRipper...I've done away with the Basic edition all together, and posted what used to be the Advanced version. The download package includes everything you need...the executables, source, RTFM docs (PDF, FAQ) and even a couple of simple batch files that show you how to use rip.exe to perform/automate some real simple tasks.

Development of RegRipper will continue. I still need to add more documentation to each plugin, along with Analysis Tips (explain why/how the data collected displayed may be important, etc.), as well as add the separate consolidation of timeline information (for use in analysis and graphing).

The power of RegRipper is in the plugins, and I can only go so far developing plugins myself. If you find that there's a plugin that you'd like to see, let me know. Please keep in mind...sample data is far more helpful than a description.

As always, if you have any thoughts, questions, comments, etc., please feel free to drop me a line.

RegRipper Video Posted

Hogfly emailed me last night to let me know that he'd posted a video on how to use F-Response and RegRipper together in live response. There's no audio to the video, but it's cool nonetheless...Hogfly does a great job of putting in cues, and focusing in so that the viewer can see what's going on up-close.

One thing that I wanted to address, though, is something that Hogfly stated in his blogpost:

Harlan has said this tool is not designed for live response...

For the record, I never said that. What I did say is:

RegRipper is NOT intended to be run on live Registry hive files.

There's a difference. RegRipper was NOT intended to be run against C:\Documents and Settings\hcarvey\NTUSER.DAT while I'm logged into my system...the hive file is live and locked by the system (populating the HKEY_CURRENT_USER hive in RegEdit). However, what Hogfly did was completely different...he used the excellent tool F-Response to access the remote drives as read-only physical disks, and then used FTK Imager to extract the hive files. You can do this on your own system as well...fire up FTK Imager, add your physical disk as an evidence item, and extract your hive files into another location in the file system. At that point, when you fire up RegRipper, you're not longer really doing "live response".

Thanks, Hogfly...great video! And a mighty THANKS goes out to Matt Shannon for coming up with F-Response...for recognizing and filling a very important need. With what's coming down the road with F-Response, as well as with other tools, the face of incident response and computer forensic analysis is now changing, in a very positive direction!

Updated RegRipper

I posted an updated version of RegRipper (2.01A, Basic Edition) up on SF.net...I had a couple of small updates to the GUI, mostly in the area of input validation (thanks to sippy for the input on that), but nothing to warrant a new version number, really. A quick run-down of updates includes:

- GUI input validation stuff (thanks to sippy)

- Added '-c' switch to rip.exe, so that when you list the plugins (ie, 'rip -l') you can now get the output in CSV format

- Added some new plugins (SAMParse, WinNT_CV, ProfileList, BitBucket, etc.), as well as made some minor updates to a couple of others, based on my own testing and use, as well as a suggestion from a user

This download includes all of the plugins from the previous download, plus the ones mentioned above. Installing this package is as simple a extracting the files from the zip archive into the same directory you used with the previous version.

A couple of notes and reminders on the use of these tools...

- RegRipper is NOT intended to be run on live Registry hive files - feel free to do so, but please...if it doesn't work, I already know that! =)

- If you find that RegRipper did not apparently work properly, or you think it didn't, then please feel free to contact me...but please also include the log file generated by RegRipper (ie, rr-.log). If at all possible, the actual hive file you were running against would be very helpful, but in most cases the log file should contain some useful info, albeit nothing customer- or case-specific.

- Keep in mind that while the edition of RegRipper you're using is fully functional, there is additional functionality that has been incorporated into the Advanced edition of the tool, such as support for selecting and using arbitrary plugins files, etc. I've included this in the documentation...so if you have feature requests, please consult the FAQ and file named "regripper.pdf" first.

- Please be sure to read the documentation (FAQ, regripper.pdf) if you have any questions. I have received requests to provide plugins for USB removable storage devices...after I put in the effort to write and test the plugin, and included it in the distribution.

For those of you who have tried/used RegRipper, I hope you've found it as useful as I continue to find it just about every day. For those of you who have commented or provided feedback, I thank you very much for that.

Other stuff...
On a side note, I added an experimental '-g' switch to the version of rip.exe that I keep with the Advanced edition of RegRipper...this switch does some guessing as to what kind of hive file the analyst is pointing to. One of the things I've been toying with on the side, something requested by a friend, is the ability to parse not only a specific hive file, but to then access the Restore Points on XP, and run that same plugin against the appropriate hive file within each RP. I've got most of the code working, at this point it's simply a matter of tying it together and having the output in a readable format.

RegRipper on SF.net

I've posted RegRipper v2.0A Basic Edition to SF.net. The archive includes the source and EXEs for RegRipper and rip.exe (as well as the required DLL), an FAQ, whitepaper, list of current plugins, etc.

Ripping the Registry w/ rip.exe

While I was developing the RegRipper, I found that I could use some means of testing plugins without having to fire up the RegRipper GUI each time, particularly if I just wanted to modify how the output was displayed...for example, once I got all the information I needed, say that I wanted to parse it and have it displayed based on the Registry key LastWrite times (so that it's easier to correlate to an incident timeline...). Do I want to fire things up all over again, or simply re-run the last command line?

So I wrote rip.exe, a small CLI utility that uses the same plugin structure as RegRipper, and lets me either run a single plugin against a hive file, or run an entire plugins file against a hive file. Here's what the syntax for rip.exe looks like:

Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]
Parse Windows Registry files, using either a single module, or a plugins file.
All plugins must be located in the "plugins" directory; default plugins file
used if no other filename given is "plugins\plugins".

-r Reg hive file...Registry hive file to parse
-f [plugin file]...use the plugin file (default: plugins\plugins)
-p plugin module...use only this module
-l ................list all plugins
-h.......................Help (print this information)

Ex: C:\>rr -r c:\case\system -f system
C:\>rr -r c:\case\ntuser.dat -p userassist.pl
C:\>rr -l

All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.

copyright 2008 H. Carvey

Pretty cool. I even threw in a switch to just list all of the plugins in the plugins directory; the output includes the name of the plugin, the version, which hive file each plugin is for (ie, NTUSER.DAT, System, Software, etc.), and brief description of what the plugin does. Here are a couple of examples:

7. auditpol v.20080327 [Security]
- Get audit policy from the Security hive file

8. bho v.20080325 [Software]
- Gets Browser Helper Objects from Software hive

9. cmd_shell v.20080328 [Software]
- Gets shell open cmds for various file types

10. comdlg32 v.20080324 [NTUSER.DAT]
- Gets contents of user's ComDlg32 key

11. compdesc v.20080324 [NTUSER.DAT]
- Gets contents of user's ComputerDescriptions key

12. compname v.20080324 [System]
- Gets ComputerName value from System hive

13. devclass v.20080331 [System]
- Get USB device info from the DeviceClasses keys in the System hive

14. fw_config v.20080328 [System]
- Gets the Windows Firewall config from the System hive

So let's say that I have an image of a Windows system, and I've either extracted the Registry hive files from the image and placed them in a directory, or I've mounted the image file as a read-only file system using Mount Image Pro or VDKWin. If I want to take a cursory look at some things to sort of get an idea of what I'm looking at, I can run rip.exe to collect info for me:

C:\tools>rip rip -r d:\cases\ntuser.dat -p userassist

Let's say that I want to run an entire plugins file against a hive file...

C:\tools>rip rip -r f:\windows\system32\config\software -f software

Pretty straight-forward, simple, and quick. Very efficient, and keeps mistakes down. Rip.exe can also be incorporated into a batch file, to further enhance processing and reduce an analyst's interaction with the data even further.