Tuesday, April 12, 2011

Using RegRipper

I've received a couple of questions about RegRipper and it's use, and I thought that I'd take the opportunity to provide some more information about the use of this free, open source tool.

First, let me say that Windows Registry Forensics (WRF) is something of a user guide for RegRipper.  I found that even though I had provided a PDF document and several blog posts that talked about how to use RegRipper, and answered a lot of questions in various lists and forums, there were still questions and some confusion.  In fact, in most cases, there seem to be the same questions again and again. In an attempt to address this situation, I thought that perhaps writing a bit more extensive user guide for RegRipper and providing it in one location, in WRF, would be useful.

An example of the questions I receive have to do with getting the UserAssist data from an NTUSER.DAT hive file collected from one of the versions of Windows.  As it says on pg. 185 of WRF, the userassist.pl plugin was written specifically for Windows XP systems, while the userassist2.pl plugin was written to work on all versions of Windows.  There is also a third RegRipper plugin, win7_ua.pl, which was written in 2008 in response to the use of Vignere encryption (vice ROT-13) of the value names in Windows 7 Beta.  So, if you want to get UserAssist information from any version of Windows, except Windows 7 Beta, you can use userassist2.pl.

Terminology
In short, RegRipper runs plugins, which are simply Perl scripts (the files that end in ".pl") located in the ".\plugins" directory of the installation.  You can run a list of plugins against a hive file by selecting a plugins file or "profile", which is a flat text file, with NO extension, that has the plugins listed in order.  Within the profile, lines that begin with "#" are treated as comment lines and skipped...this allows you do comment out specific plugins or add your own documentation.

So, again...RegRipper (both the GUI and the CLI "rip") are similar to the Nessus vulnerability scanner, in that it is simply an engine that runs plugins.  The "plugins" are Perl scripts located in the ".\plugins" directory...files that end in the ".pl" extension.  If you want to run more than one plugin against a particular hive at a time, you can create a "plugins file" or "profile", which is a file with NO extension located in the ".\plugins" directory; this file is simply a text file that contains a list of plugins to be run, in order, with one plugin (drop the ".pl" extension from the plugin name) listed on each line.  You can comment the profile using "#"...RegRipper ignores lines that start with this character.

Listing Plugins
To get a list of plugins (files with ".pl" extension located in the ".\plugins" directory), there are a couple of things you can do.  The package shipped with WRF, as well as provided online, includes the Plugin Browser, a GUI means not only for seeing details about the available plugins, but also building or editing profiles.  Or, if you like, you can run the following command from the command line:

C:\tools>rip -l

This command will provide a list of plugins right to STDOUT.  Another option, to provide you with the same information in .csv format, would be to use the following command line:

C:\tools>rip -l -c > plugins.csv

Just open the resulting file in Excel or your favorite spreadsheet application, and sort to your heart's content!

Another thing...if you have any questions about the syntax for rip.pl/.exe, simply type the following command at the command prompt:

C:\tools>rip

or

C:\tools>rip -h

Other switches ("/?") will also work, as well.  And hey, if worse comes to worse and you just don't like the command prompt, open the rip.pl file in Notepad or a text editor!  ;-)

Reporting Issues
When you do have what appears to be an issue, sometimes it's very helpful to look at a couple of things first.  You can actually do a bit of troubleshooting on your own, and it doesn't require any programming ability to do so.  When I first released RegRipper back in 2008, several people I knew ran it against the live NTUSER.DAT on their system.  Don't do that...RegRipper is intended for "dead box analysis", meaning that it's designed to be run against hive files extracted from other systems, not against the hives from the system you're currently logged into.  Others ran it against hive files from the systemprofile directory, and one person even ran it across a file named "NTUSER.DAT" that was 256K of zeros.  So, if you have an issue...try looking at the file in a viewer (there's an excellent free one listed in WRF).  Maybe the reason the plugin is telling you that a key or value doesn't exist is because...well...it doesn't exist (or RegRipper can't find it in the provided path).  Also, look at the version of Windows you're running the plugin against.  Where this can be important is, for example, the UserAssist data, as the UserAssist subkeys (those listed between the UserAssist and Count keys) are different from XP to Windows 7.  Another one is the ACMru key...running the acmru.pl plugin against a Windows 7 NTUSER.DAT won't reveal any information, as that key isn't used on Windows 7.

If, at this point, you still can't figure out what the problem is, please feel free to contact me, and include a concise, thorough description of the issue.  For example, please be sure to include the version of Windows from with the hive was acquired, which hive you're working with, and which plugin you used.  If possible, please provide a copy of the hive.  Also, there are several plugins that are now available that I didn't write, so it might also be a good idea to provide the plugin itself.

Finally, remember...RegRipper is free, and open source.  This means that you can write your own plugins (WRF explains how...) and you can see what various plugins do simply by opening them in a text editor.  Many of the plugins I wrote and provided with the distribution contain links to references in the comments of the plugin, which can be very useful for validation, and even just as general interest.  I know a lot of folks are going to say, "...but I don't program, nor do I understand Perl...", and that's okay...in many cases, there is some plain English in the comments of the plugin that tell you what it's trying to do.

A great big THANKS to Brett Shavers for setting up and maintaining the RegRipper.net site.

8 comments:

Anonymous said...

Harlan, Thank you for all the continued support and clarity that you provided to this VERY useful tool. MUCH appreciated as it makes my life much more pleasant AND effecient as a DFI.

Brian.

Anonymous said...

Thanks Harlan!

Sachin

Phil Rodokanakis said...

Harlan:

Thanks for the explanation and the support you continue to provide to all of us.

It would be nice if Brett Shavers could provide a hyperlink to this post and any other post on your Blog about RegRipper. I'm afraid that some people may not look at your blog when running into issues with RegRipper when they downloaded from the RegRipper site.

Again thanks for all you do.

Best regards, Phil

H. Carvey said...

Phil,

Have you thought about just reaching to Brett yourself?

Phil Rodokanakis said...

I don't know him other than by reputation...

H. Carvey said...

Okay. But he has an email address...try reaching to him. You might be surprised.

H. Carvey said...

Looks like Brett did it, Phil. I went to RegRipper.net this morning, saw the new location/format, and also saw the link to this blog post.

Was this a result of you asking him?

Anonymous said...

Harlan,

Recommend you change the RegRipper.net hyperlink at the end of this blog post to point to the new/updated link for Brett's website at: RegRipper.wordpress.com

Looks like scammers have already setup shop at the old RegRipper.net domain.