Wednesday, July 26, 2023
Thoughts on Tool Features
Not long ago, some exchanges and conversations led me to do something I'd never done before...post a poll on LinkedIn. These conversations had to do with whether or not analysts and practitioners within the industry felt there was adequate value proposition to incorporate RegRipper in to a commercial forensic suite. No conditions, no specific goals or outcomes, just "is this something that makes sense?" As you can see from the poll, the responses (the few that there are) are pretty much 4:1 in favor of the idea.
I posted the poll because when I asked a vendor for their thoughts, the response was, "...none of our users have asked for it." Another vendor responded with:
...we need to focus on two things - what customers tell us they want (preferably things that are both powerful and unique), and what helps us in significant ways in our own casework.
There have been times we go pretty far out on a limb in terms of functionality we think people will want, and no one gives a shit.
From a user perspective, some of the feedback from the poll, as well as from other conversations and exchanges, indicates that some users feel that vendors should take charge of providing "needed" functionality without being asked.
This really seems like two diametrically opposed views on the subject, with the vendor side saying, "we rely on our users to tell us their needs", and the users saying, "we rely on our vendors to guide our investigations."
In 2020, I presented at OSDFCon on effectively using RegRipper. On pg 3 of the linked PDF, in the second slide, there are several thoughts I had regarding possible useful updates to RegRipper, including adding MITRE ATT&CK mapping, Analysis Tips, and reference URLs to the plugin output. I did not receive any feedback to this presentation, either during or following the presentation itself. No, "hey, this is a great idea!", and no, "OMG, this is the dumbest thing I've ever heard." However, I felt that these were things that I would find useful in the tool, and since other analysts didn't seem to be interested, I set about creating my own internal repo of RegRipper v4.0, or "Pro". This has become the tool I use, update, and continue to develop. In fact, earlier this year, I started in the first steps of creating plugins with JSON output, starting with the appcompatcache.pl plugin.
Back around 2007, I started developing what became RegRipper because none of the tools I had access to at the time, either commercial or free, provided the capability I needed for the work I was doing and the process I was developing. I opted to create a tool in the model of Nessus (i.e., plugins) so that I could easily update the tool without completely rewriting it. I developed the tool so that I could run individual plugins, or "profiles", which are designated groups of plugins that can be run in support of a playbook. I later added the ability to run all available plugins as it seemed to be how most folks were wanting to use the tool anyway.
The idea of "profiles", while I thought it would be an incredible capability, never caught on. You could run "profiles", or analysis playbooks based on file access, USB device usage, etc. I know that there are commercial tools out there that have these capabilities, but what RegRipper provided me was the ability not only to pick and choose, but to also update the tool with new plugins, new capabilities and functionality, with minimal turn-around time. I've had a few instances over the years where folks have reached out and asked for assistance, provided test data, and I've been able to turn around a working plugin in under an hour.
This is what I wanted for the community...for folks using the tool to find something they hadn't seen before, something new, and add to the tool. Unfortunately, that really never caught on, and to some extent, now I know why.
The question becomes, where do you stand? Do you think that vendors providing commercial forensic suites should drive investigations based on the features they provide, or should analysts and investigators be the ones who drive their investigations, and look for the right tool, or correct too usage?
Posted by H. Carvey at 8:08 PM