With the "new" release, I thought it would be good to share a couple of tips as to how you can get the most out of RegRipper v3.0. I should note that for the most part, all of these tips are the same things I've recommended for using RegRipper v2.8, as well.
The "Kitchen Sink" Approach
When you take the "kitchen sink" approach and run every available plugin against a hive file, you're going to get a great deal of info back, some of which may not make sense or even apply to the case on which you're working. As such, you're likely going to have questions about some of what you see, and whether it can be applied to the case you're working on. I provided the GUI tool to operate in exactly this manner, because according to many, this is the primary use case, and how RegRipper is most often used. However, what follows are some tips that might be helpful, particularly if you do not want to use this approach.
Check The References
If you have a question about a plugin, feel free to open the plugin in Notepad (I use Notepad++ or UltraEdit) and take a look at the contents, particularly the "header". If you're not sure what a "header" is, it's all the stuff commented out (preceded by '#') at the top of the plugin. If you're using something like Notepad++, the header may appear in a different color, such as green, thanks to syntax highlighting. Very often, the header will contain reference information or URLs that provide insight as to why the plugin was written and how the information returned by the plugin may be applied to specific use cases.
Finding a Plugin
Sometimes, you might want to check and see if there's a plugin that gets some information you're interested in, as it may be helpful to your case. There is no online reference for the plugins; the v2.8 distro contains 386 plugins, and the v3.0 distro contains 248 plugins, so keeping a reference or wiki of some kind is still going to require searching. Further, not all of the plugins look for specific values, but instead get all or most of the values beneath a key, so if you're looking for a specific value name, or some element that may be included in the data, you may not find it.
In order to see if there's a plugin that looks for a particular key or value name, I use the following command:
C:\perl\rr3\plugins>findstr /C:"UseLogonCredential" /i *.pl
...or to find any plugins that reference blog posts from PenTestLabs (hint: there are two), I use the following command:
C:\perl\rr3\plugins>findstr /C:"pentestlab" /i *.pl
If you don't find what you're looking for, ask. Yep, it's that easy. Just ask. Sure, you can go on social media and say, "hey, RegRipper doesn't have a plugin that does this...", and that may very well be true. However, RegRipper was originally designed to be a community-supported project; if you don't find a plugin that does something you need, either write one (Corey Harrell did a lot of that, starting off with simply copy-paste...), or share a request along with some data so that it can be written. In most cases, I've turned a plugin around in an hour or so, with limited data for testing. As time goes on and more data becomes available, the testing improves, and the there may be corresponding improvements in the plugins, as well.
A final note on that thought...when looking for a plugin, spelling helps. Tremendously. You don't even know.
Building Profiles
I know that some folks are of the opinion that the RegRipper GUI doesn't allow you to modify the available profiles, but that is simply NOT the case. In fact, all you need to do to create your own profiles is find the double-secret-monkey-stuff Windows tool called "Notepad". ;-) Really, it's that easy.
A "profile" is a list of plugins that are run by rip.exe, via the "-f" switch. You can use rip to run individual plugins, but if you have a series of plugins that you want to run against a hive, the easiest way, and one that is self-documenting, is to use a profile. To create a profile, just create a text file with no extension, and add the plugins you want to run, one on each line. For example, to build out a profile that lets me check the Software hive for information related to connected USB devices, I'd create a file called "USB-Software" (again, no file extension), and then add the following plugins:
emdmgmt
portdev
volinfocache
That's all it takes. As new information is developed and new plugins become available, I might add some of those plugins to the profile.
RegRipper v2.8
As a final note and just a reminder, I'm no longer supporting RegRipper v2.8. I'll leave the repo up for the time being, but I'll be removing the repo before too long (date TBD).
I hope that someone finds this information useful.
The Windows Incident Response Blog is dedicated to the myriad information surrounding and inherent to the topics of IR and digital analysis of Windows systems. This blog provides information in support of my books; "Windows Forensic Analysis" (1st thru 4th editions), "Windows Registry Forensics", as well as the book I co-authored with Cory Altheide, "Digital Forensics with Open Source Tools".
Pages
▼
Sunday, May 31, 2020
Thursday, May 28, 2020
RegRipper v3.0
I recently released RegRipper v3.0, something I've been working on since Aug, 2019.
I am no longer supporting RegRipper 2.8. I'll leave the repo up for the time being, but I will not be writing plugins to support that version. You can move plugins written for v2.8 to the v3.0 plugins folder, and they will work fine. However, due to modifications in the date output format, the reverse is not true.
What's New?
GUI - The GUI (i.e., rr.exe) no longer makes use of profiles. When you launch the GUI, you'll see what appears in figure 1. Note that you can select the hive, and the output folder for the report, but there is no longer a drop-down for selecting a profile.
Instead, what now happens is that the hive file type is "guessed"/determined, and the tool runs through the entire plugins folder to build a list of all plugins that apply to that hive, and then runs them. All of them. There is no longer any need to maintain a profile for use with the GUI. In the end, the idea of profiles seemed to be just too confusing.
The hive file types that RR "knows" are Software, System, SAM, NTUSER.DAT, USRCLASS.DAT, and AmCache.
However, the capability to run individual plugins and profiles still exists, albeit via the command line tool, rip.exe. More about that later.
Date Format - the date output format has changed. Phill Moore had asked for this via Twitter back in Feb, and more recently, a Github issue had been submitted via the Autopsy Github site. The issue what was submitted asked for date output format IAW ISO 8601, but what was asked for was not, in fact, compliant with ISO 8601. Rather, what they'd asked for was the RFC 3339 profile. That's very likely much more than you wanted to know, so to be brief, the date output format is now:
YYYY-MM-DD HH:MM:SS
Note the space between the date and time...that's what is NOT compliant with ISO 8601, but it is what was asked for. In those instances where the time stamp is equivalent to UTC, I've added "Z" to the date output format.
Plugin Updates - As part of the process of "fixing" all 386 plugins in the 2.8 distro, a good number of them were updated, modified, consolidated, or simply "whacked". In this case, "whacked" means removed from the main distro, moved to a separate folder, and may be addressed at a later date.
At the moment, the 3.0 distro contains 248 plugins. The easiest way to find something specific in the plugins is to use a hidden MS tool called "findstr". Navigate to the plugins folder and type a command such as:
findstr /C:"UseLogonCredential" /i *.pl
...or...
findstr /C:"pentestlab" /i *.pl
If you can't find a plugin that addresses a specific need, then reach out and ask. I recently was provided some information about a key, and some sample data, by a co-worker, and within an hour was able to turn around a fully functional plugin.
RIP - the capabilities of the command line tool have been modified significantly, which you can see from the syntax info below:
Rip v.3.0 - CLI RegRipper tool
Rip [-r Reg hive file] [-f profile] [-p plugin] [options]
Parse Windows Registry files, using either a single module, or a profile.
-r [hive] .........Registry hive file to parse
-d ................Check to see if the hive is dirty
-g ................Guess the hive file type
-a ................Automatically run hive-specific plugins
-aT ...............Automatically run hive-specific TLN plugins
-f [profile].......use the profile
-p [plugin]........use the plugin
-l ................list all plugins
-c ................Output plugin list in CSV format (use with -l)
-s systemname......system name (TLN support)
-u username........User name (TLN support)
-uP ...............Update default profiles
-h.................Help (print this information)
Ex: C:\>rip -r c:\case\system -f system
C:\>rip -r c:\case\ntuser.dat -p userassist
C:\>rip -r c:\case\ntuser.dat -a
C:\>rip -l -c
All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.
copyright 2020 Quantum Analytics Research, LLC
Notice the "-a" switch; this replicates what the GUI does, in that it gets the hive file type, then runs through the plugins folder and finds all plugins that pertain to that hive type, and then runs them. The "-aT" switch does the same thing, but for the timeline (*_tln.pl) plugins. As with the RR GUI, the hive file types that rip "knows" are Software, System, SAM, NTUSER.DAT, USRCLASS.DAT, and AmCache. However, with rip.exe, you can still run the plugins designated for "all" hive types; rlo.pl, null.pl, del.pl, etc., via the command line using the "-p" switch.
Also, you still have the capability to run profiles via rip.exe. This is very useful if you don't want to take a "kitchen sink" approach, but you want to be able to easily run several plugins, such as for a USB playbook.
Caveats
RegRipper is not and never was intended to be an "all knowing" tool. It was intended to be a "good" tool that made people's jobs easier, and the only real way to do that is if analysts provide input. So, rather than saying, "RegRipper doesn't...", why not grab some sample data, attach it to an email and send in a request? I've been pretty good about turning something around within an hour, and more time and more data for testing simply means that the plugin becomes more useful for others, as well.
I haven't seen everything, nor do I know everything. I do not offer myself up as an "expert". This is to say that the available RegRipper plugins are based on either what I've seen or what others have shared with me. For example, I read about Project TajMahal, did some testing, and the printer_settings.pl plugin checks to see if the KeepPrintedJobs property is enabled. But that doesn't mean the everything pertinent to your case is included in a plugin; if that turns out to be the case, I'm more than happy to assist where I can, and were you allow me to do so.
I am no longer supporting RegRipper 2.8. I'll leave the repo up for the time being, but I will not be writing plugins to support that version. You can move plugins written for v2.8 to the v3.0 plugins folder, and they will work fine. However, due to modifications in the date output format, the reverse is not true.
What's New?
Fig. 1: RegRipper GUI |
Instead, what now happens is that the hive file type is "guessed"/determined, and the tool runs through the entire plugins folder to build a list of all plugins that apply to that hive, and then runs them. All of them. There is no longer any need to maintain a profile for use with the GUI. In the end, the idea of profiles seemed to be just too confusing.
The hive file types that RR "knows" are Software, System, SAM, NTUSER.DAT, USRCLASS.DAT, and AmCache.
However, the capability to run individual plugins and profiles still exists, albeit via the command line tool, rip.exe. More about that later.
Date Format - the date output format has changed. Phill Moore had asked for this via Twitter back in Feb, and more recently, a Github issue had been submitted via the Autopsy Github site. The issue what was submitted asked for date output format IAW ISO 8601, but what was asked for was not, in fact, compliant with ISO 8601. Rather, what they'd asked for was the RFC 3339 profile. That's very likely much more than you wanted to know, so to be brief, the date output format is now:
YYYY-MM-DD HH:MM:SS
Note the space between the date and time...that's what is NOT compliant with ISO 8601, but it is what was asked for. In those instances where the time stamp is equivalent to UTC, I've added "Z" to the date output format.
Plugin Updates - As part of the process of "fixing" all 386 plugins in the 2.8 distro, a good number of them were updated, modified, consolidated, or simply "whacked". In this case, "whacked" means removed from the main distro, moved to a separate folder, and may be addressed at a later date.
At the moment, the 3.0 distro contains 248 plugins. The easiest way to find something specific in the plugins is to use a hidden MS tool called "findstr". Navigate to the plugins folder and type a command such as:
findstr /C:"UseLogonCredential" /i *.pl
...or...
findstr /C:"pentestlab" /i *.pl
If you can't find a plugin that addresses a specific need, then reach out and ask. I recently was provided some information about a key, and some sample data, by a co-worker, and within an hour was able to turn around a fully functional plugin.
RIP - the capabilities of the command line tool have been modified significantly, which you can see from the syntax info below:
Rip v.3.0 - CLI RegRipper tool
Rip [-r Reg hive file] [-f profile] [-p plugin] [options]
Parse Windows Registry files, using either a single module, or a profile.
-r [hive] .........Registry hive file to parse
-d ................Check to see if the hive is dirty
-g ................Guess the hive file type
-a ................Automatically run hive-specific plugins
-aT ...............Automatically run hive-specific TLN plugins
-f [profile].......use the profile
-p [plugin]........use the plugin
-l ................list all plugins
-c ................Output plugin list in CSV format (use with -l)
-s systemname......system name (TLN support)
-u username........User name (TLN support)
-uP ...............Update default profiles
-h.................Help (print this information)
Ex: C:\>rip -r c:\case\system -f system
C:\>rip -r c:\case\ntuser.dat -p userassist
C:\>rip -r c:\case\ntuser.dat -a
C:\>rip -l -c
All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.
copyright 2020 Quantum Analytics Research, LLC
Notice the "-a" switch; this replicates what the GUI does, in that it gets the hive file type, then runs through the plugins folder and finds all plugins that pertain to that hive type, and then runs them. The "-aT" switch does the same thing, but for the timeline (*_tln.pl) plugins. As with the RR GUI, the hive file types that rip "knows" are Software, System, SAM, NTUSER.DAT, USRCLASS.DAT, and AmCache. However, with rip.exe, you can still run the plugins designated for "all" hive types; rlo.pl, null.pl, del.pl, etc., via the command line using the "-p" switch.
Also, you still have the capability to run profiles via rip.exe. This is very useful if you don't want to take a "kitchen sink" approach, but you want to be able to easily run several plugins, such as for a USB playbook.
Caveats
RegRipper is not and never was intended to be an "all knowing" tool. It was intended to be a "good" tool that made people's jobs easier, and the only real way to do that is if analysts provide input. So, rather than saying, "RegRipper doesn't...", why not grab some sample data, attach it to an email and send in a request? I've been pretty good about turning something around within an hour, and more time and more data for testing simply means that the plugin becomes more useful for others, as well.
I haven't seen everything, nor do I know everything. I do not offer myself up as an "expert". This is to say that the available RegRipper plugins are based on either what I've seen or what others have shared with me. For example, I read about Project TajMahal, did some testing, and the printer_settings.pl plugin checks to see if the KeepPrintedJobs property is enabled. But that doesn't mean the everything pertinent to your case is included in a plugin; if that turns out to be the case, I'm more than happy to assist where I can, and were you allow me to do so.