Wednesday, January 30, 2019

RegRipper

I recently tweeted that, as far as I'm aware, Nuix's Workstation/Investigator product is the only commercial product that incorporates RegRipper, or RegRipper-like functionality.

Brian responded to the tweet that both OSForensics and OpenText include the capability as well. The OSForensics page states that the guide was written using RegRipper version 2.02, from May, 2011, making it really quite old. For OpenText, the page states that the EnScript for launching RegRipper had been downloaded 4955 times, but is no longer supported.  Also, the reference to RegRipper, at the old Wordpress site, tells us that it's pretty dated.

As such, that leaves us right were we started...Nuix Workstation is the only commercial product that incorporates the use of RegRipper, or some similar functionality.  Here's the fact sheet that talks about the extension, and here's where you can get the extension itself, for free.  Finally, here's a Nuix blog post that describes not only the RegRipper extension, but the Yara extension (also free), as well.

Okay, full disclosure time...while I was employed at Nuix, I helped direct the creation of the RegRipper extension, as well as updating the Yara extension.  I didn't do the programming...that was something provided by Daniel Berry's team.  The "two Jasons" did a fantastic job of taking my guidance and turning it into reality.  Shoutz and mad props to the Juicy Dragon and his partner in crime, and their boss (Dan).

The RegRipper extension looks at each Windows evidence item, and "knows" where to go to get the Registry hives.  This includes knowing, based on the version of Windows, where the NTUSER.DAT and USRCLASS.DAT files are located. It will also get the AmCache.hve file (if it's in that version of Windows), the NTUSER.DAT hives in the Service Profiles subfolders, as well as the Default hive file within the system32\config folder.  Automatically.

And it will run the appropriate RegRipper profiles against the hives. Automatically.

And it will incorporate the output from RegRipper, based on the evidence item and file parsed, right back into the Nuix case as a separate evidence item.  Automatically.

Let's say you have multiple images of Windows systems, all different versions.  Run the RegRipper extension against the case, and then run your keyword searches.  This can be extremely critical, as there is data within the Registry that is ROT-13 encoded, as well as ASCII strings that are encoded as hexadecimal character streams that various RegRipper plugins will decode, making the data available to be included in your searches.

The Yara extension is equally as powerful.  You select the path you want scanned, whether you want descendants (yes, please!) and the rule file(s) you want included, and let it go.  All of the findings are included as tagged items directly back into your case.

Want to give it a shot?  Go here, and download the image from challenge #1, the web server case.  Add the image file as an evidence item to a Nuix case, and then run the RegRipper extension.  Then, use the Yara extension to run Yara rule files that look for web shells across the web server folder and all descendants.  In this case, the web server folder is not C:\inetpub.

RegRipper was released almost 11 yrs ago. I've been told time and time again that a lot of people "use" it.  I have no stats, nor any real insight into this, but what it means to me is that a lot of people download it, and run it "as is" without getting the full benefit from the tool.

I guess I'm really amazed that in all this time, there hasn't been a concerted effort to incorporate RegRipper, or a RegRipper-like capability, directly into a commercial tool.

6 comments:

Darksider9 said...

Harlan,

Another great post and thank you for bringing this to light to the community at large. I know a vast number of people that use RegRipper as a staple to their investigations, but as you pointed out "as is". I have found it much more useful to run the particular plugin I need for the data that I am looking for in the moment, not terribly difficult and I get what I need.

I have employed the "shotgun" approach, if you will, when I haven't found anything fruitful and I am more grasping at straws. It have been successful and failed in equal parts, so I don't really find it all that useful of a tactic.

I think if more people requested the feature for RegRipper be included in their particular toolset you would see it gain more traction, but I would be remiss to think people are so used to using it as a stand alone tool , having it incorporated wouldn't increase the efficiency of their workflow. I definitely can see the value and thank you for incorporating it at NUIX, now lets hope they keep up with it.

Again, another great post and enlightening to boot!

Darksider9

David said...

There is also Volatility-workbench,
https://www.osforensics.com/tools/volatility-workbench.html
Updated in 2018 and is Open source. So not really commercial.

In my opinion, the licensing issue is the main factor stopping wider use. If wider use is the goal this is the first thing to change. Maybe the MIT License would be better?

That and the fact that,

A) It is really slow to execute, even on fast hardware. It really needs a rewrite to use threading and other modern techniques. I suspect we could get 10x the performance with a rewrite. We are happy to help with this if you want.

B) It is complex and nearly impossible to use without extensive training. Even once you get some output, the significant of that output is well beyond the comprehension of most people.

C) It is often out of date, or you think it is, as guessing the right profile is really painful. We tried to improve this with .CFG files to store the profile and KDBG with the memory image.

D) If is somewhat difficult to get working memory images (especially on Mac). We put up some public samples on the link above. Feel free to distribute them.

David
PassMark Software

Unknown said...

> Go here, and download the image from challenge #1

I am interested, where exactly please ?

H. Carvey said...

Jean-Christophe,

Link fixed, thanks.

H. Carvey said...

David,

> There is also Volatility-workbench,

Okay, but I'm not seeing the connection.

I'm not seeing what your comments regarding Volatility have to do with the post. Can you clarify that a bit?

Thanks.

H. Carvey said...

Darksider9,

> I think if more people requested the feature...

I'm with you, I think that's the case.

While no users specifically requested that RegRipper be incorporated into the Nuix Workstation product, we saw the value of doing so, and tried to do so in an as-comprehensive manner as possible. I honestly believe that the end result, along with the inclusion of Yara, has significant value to the users.

Thanks.