RegRipper download

I received copies of Windows Forensic Analysis 4/e tonight, and I’ve been working on the download for the materials that accompany the book.  Part of those materials include an update to RegRipper, which is now available here.

There’s an update.txt file in the archive that tells you what’s been updated, and when.  This is pretty much just an update to the plugins (and profiles, of course).  As such, I’m not going to talk much here about what’s new in this archive, but I will say this…if you have any questions, be sure to email me.

I will say this, though…I have some updates planned for RegRipper.  Basically, based on some feedback I’ve received, I’m going to update RegRipper to provide…where appropriate…the “normal” or default output that you see from plugins now, but also…again, where appropriate…TLN, CSV, and bodyfile output.  This will primarily be available through rip.exe at first, and it will not affect batch files that are currently in use.

Something I wanted to add…a couple of folks have provided plugins, and I wanted to thank them for doing so.  I’m not sure that they want their names known, so I’ll just say “thank you” for supporting RegRipper.

 

RegRipper Download

Recently I received a couple of emails from folks who said that they tried to download RegRipper via the Dropbox link, only to find that there was nothing available.

I recommend that if you’re interested in downloading RegRipper, try here.

What the…?

Sometimes when running RegRipper, you may run into a situation where something doesn’t look quite right, or you may have a question about what you’re seeing (or not seeing, as the case may be).  Sometimes the data that you’re looking at may have a different context that what you’re used to (likely based on the version of Windows), and you’ll need to get some clarification.

There are a couple of very simple things that you can do in order to address these situations…

Troubleshoot – Start by doing some troubleshooting, because “it doesn’t work” isn’t really all that helpful when it comes to seeking assistance.  Did you run the plugin against the correct hive?  If you’re not seeing something that you expect to see, is that data actually resident in the hive?  Is the key there, and are the values you expect beneath the key?  Did you open the hive in a viewer and see the data?

When RegRipper was first released, I received one of those lovely, “it doesn’t work” emails (and that’s ALL it said…) from a co-worker, and it turned out that there was something amiss in the process they’d used to extract the hive files from the image; when extracted, the files were all 0’s.  That’s right…something about how the files had been extracted resulted in the files being completely filled with zeros, to the point where they didn’t even contain the ‘regf’ file header.  Opening the hive file in a viewer or even just a hex editor would’ve shown this, and obviated the need for 20 questions.

If the RegRipper output for a plugin says “key not found” or doesn’t show the data that you expect to see, try opening the hive file in a viewer to see if the data is actually there.

If you opt to follow the next option, a lot of what was addressed in this section will end up as questions in the next one.

Ask – The easiest way to get help with something regarding RegRipper is to ask.  But don’t ask by posting to social media in hopes that someone will see your question and be able to answer it.

Some social media doesn’t provide enough space to ask an effective question.  Really, 140 characters isn’t much space for asking an effective question.  I’m not on all social media, and I’m not always on social media, in general.  However, I do provide my email address in the headers of the all of the plugins I’ve written.  If you don’t understand Perl and don’t program, that’s okay…just open a plugin in NotePad and you’ll see my email address.

Don’t be afraid to ask questions…you’d be surprised how many other analysts may have the same question, or a similar one.  I see this all the time with general computer stuff…I’ll start typing a question into Google, and before I get too far, the search bar auto-populates with my question.  It’s highly likely that you won’t be the only person to ever have had that question, so ask it.

This also works great if there’s some functionality that you’d like to see…such as parsing AppCompatCache data from Windows 8/8.1 systems.  One analyst shared some sample data from test systems, and I was able to update the plugin for both 32- and 64-bit systems, but that update is based on a very limited data set.  If there’s some new functionality you’d like to see in a plugin, or a new plugin all together, all that’s needed is a concise description of what you’re looking for and some sample data for testing.  That’s it.

Oh, and “make RR do XML output” isn’t concise…I say that because I see that one a lot, but when I ask for a stylesheet or format (that goes for .csv output, as well), I’ve never heard back.

I hope this helps analysts looking into Registry analysis and using RegRipper.  RegRipper can be a powerful tool when performing Registry analysis…the real power of the tool will come from collaboration with other analysts in order to expand the functionality of the tool and extend analysts’ knowledge of the Registry.

If you’re new to Registry analysis in general, check out Windows Registry Forensics, or these courses (here, and here) at the Hacker Academy, produced by Andrew Case.

What is RegRipper?

One consistent aspect of RegRipper that I’ve seen over the years since it was released is that most analysts who use the tool don’t really use it to it’s fullest extent and potential possible, and that this is likely due to not really knowing what RegRipper is, or how it was intended to be used.  This likely also comes from the fact that, for many, the Windows Registry is still a bit of a mystery when it comes to incorporating data from the Registry into an overall examination.  This is another topic that we’ll address in later posts, but for now, we’ll address the question, what is RegRipper?

Free - Yes, I know that this is rather obvious, but I hear this answer pretty often in response to the question.  This one is pretty clear, and doesn’t require much explanation.

Open Source – RegRipper is open-source, which means that you can look at the code and see what it does.  Dan did this when he conducted his shellbag analysis.  Even analysts who don’t program, or don’t program in Perl, can open the code in an editor (even Notepad), walk through it and get enough of an idea of what’s going on to be able to see what it’s doing.  If nothing else, I usually include my email address in the headers of the code that I write, so it’s pretty easy to contact me with the plugin name, version, and line number that you’re interested in.

Registry Parser – Yes, RegRipper is a Registry hive file parser, but it is not a viewer like the native Registry Editor, or MiTeC’s WRR.  Instead, RegRipper can parse through subkeys, display the contents of a single key, or display the data associated with a specific Registry value.  It’s more targeted and surgical than a viewer, and it allows analysts to parse value data, as well (i.e., parse a binary data stream into its constituent elements, decode ROT-13 encoding, etc.).

Extensible – RegRipper can be easily extended, by simply writing a plugin.  RegRipper was designed to be a platform that would be expanded and extended by the DFIR community.  RegRipper was not designed and is not maintained by a commercial entity with a group of analysts and researchers; rather, the real value and true power of RegRipper comes from analysts who use it, and want to make it better.

Community-based – From the beginning, RegRipper was intended to be extended based on the needs of the DFIR community.  Some folks have written plugins, and at one point, someone even wrote a tool to produce RegRipper plugins.  Now, not everyone’s a programmer, and that’s fine…several of those who’ve written their own plugins have started by copying currently available plugins.  Others, like Corey Harrell, have extended RegRipper through the use of a batch file (auto_rip.pl).  If this is beyond your capabilities as well, then that’s okay…if you find something that you need a RegRipper plugin to do, all you have to do is contact me with a concise description of what you’re looking for, and some sample data.  This second part…the sample data…is critical, as the plugin needs to be tested, and the more data that’s available, the plugin will be more accurate and more useful to a wider range of analysts.  The ares.pl plugin came out of a need by LE, but was developed with very little test data, so it’s capabilities are likely very limited with respect to the data that’s available.

RegRipper was never intended to be able to do everything…instead, it was designed to be a platform to do one thing; targeted data extraction from Registry hive files.  RegRipper plugins can parse, correlate and display data, but it is up to the analyst to understand how that data is correctly interpreted and incorporated into their analysis.  As such, RegRipper is much, much more than just a GUI with a couple of buttons on it that, when clicked, produces output.  This is due to the fact that the Registry is a veritable gold mine for analyst; there is an incredible amount of data that can significantly impact the direction of your examination.

If you have questions or comments about RegRipper, thoughts on things that might be added to improve RegRipper’s capabilities, please free free to contact me.

Get RegRipper!

RegRipper and WFA Downloads

Download from Github below.

https://github.com/keydet89