One consistent aspect of RegRipper that I’ve seen over the years since it was released is that most analysts who use the tool don’t really use it to it’s fullest extent and potential possible, and that this is likely due to not really knowing what RegRipper is, or how it was intended to be used. This likely also comes from the fact that, for many, the Windows Registry is still a bit of a mystery when it comes to incorporating data from the Registry into an overall examination. This is another topic that we’ll address in later posts, but for now, we’ll address the question, what is RegRipper?
Free - Yes, I know that this is rather obvious, but I hear this answer pretty often in response to the question. This one is pretty clear, and doesn’t require much explanation.
Open Source – RegRipper is open-source, which means that you can look at the code and see what it does. Dan did this when he conducted his shellbag analysis. Even analysts who don’t program, or don’t program in Perl, can open the code in an editor (even Notepad), walk through it and get enough of an idea of what’s going on to be able to see what it’s doing. If nothing else, I usually include my email address in the headers of the code that I write, so it’s pretty easy to contact me with the plugin name, version, and line number that you’re interested in.
Registry Parser – Yes, RegRipper is a Registry hive file parser, but it is not a viewer like the native Registry Editor, or MiTeC’s WRR. Instead, RegRipper can parse through subkeys, display the contents of a single key, or display the data associated with a specific Registry value. It’s more targeted and surgical than a viewer, and it allows analysts to parse value data, as well (i.e., parse a binary data stream into its constituent elements, decode ROT-13 encoding, etc.).
Extensible – RegRipper can be easily extended, by simply writing a plugin. RegRipper was designed to be a platform that would be expanded and extended by the DFIR community. RegRipper was not designed and is not maintained by a commercial entity with a group of analysts and researchers; rather, the real value and true power of RegRipper comes from analysts who use it, and want to make it better.
Community-based – From the beginning, RegRipper was intended to be extended based on the needs of the DFIR community. Some folks have written plugins, and at one point, someone even wrote a tool to produce RegRipper plugins. Now, not everyone’s a programmer, and that’s fine…several of those who’ve written their own plugins have started by copying currently available plugins. Others, like Corey Harrell, have extended RegRipper through the use of a batch file (auto_rip.pl). If this is beyond your capabilities as well, then that’s okay…if you find something that you need a RegRipper plugin to do, all you have to do is contact me with a concise description of what you’re looking for, and some sample data. This second part…the sample data…is critical, as the plugin needs to be tested, and the more data that’s available, the plugin will be more accurate and more useful to a wider range of analysts. The ares.pl plugin came out of a need by LE, but was developed with very little test data, so it’s capabilities are likely very limited with respect to the data that’s available.
RegRipper was never intended to be able to do everything…instead, it was designed to be a platform to do one thing; targeted data extraction from Registry hive files. RegRipper plugins can parse, correlate and display data, but it is up to the analyst to understand how that data is correctly interpreted and incorporated into their analysis. As such, RegRipper is much, much more than just a GUI with a couple of buttons on it that, when clicked, produces output. This is due to the fact that the Registry is a veritable gold mine for analyst; there is an incredible amount of data that can significantly impact the direction of your examination.
If you have questions or comments about RegRipper, thoughts on things that might be added to improve RegRipper’s capabilities, please free free to contact me.