Harlan Carvey's RegRipper, available at http://code.google.com/p/regripper/, is fantastic tool for getting data quickly out of the registry whether you are doing it for incident response or forensics. In essence what it does is produce reports based upon pre-canned registry searches. All you need to do is give it the registry file you want to review, give it a location for the report, and select the type of registry file. Then push a button.
RegRipper uses plugins to extract information out of the registry files. Each plugin has been created to handle the data that is stored in the registry key it has been setup to review. For example, the plugins will decode the ROT-13 encrypted data and translate binary data to ASCII.
RegRipper creates two files when it runs. The first is the report file that contains the output of the plugins that were ran against the registry file. The second file is a log file that contains the dates, times, plugins ran, and the number of errors that occurred with the plugins. The log file filename is based off of the report file name minus the extension.
Here is a small excerpt from a system registry file:
ComputerName = testbox ---------------------------------------- ControlSet002\Control\Windows key, ShutdownTime value ControlSet002\Control\Windows LastWrite Time Mon Jan 19 23:03:52 2009 (UTC) ShutdownTime = Mon Jan 19 23:03:52 2009 (UTC) ---------------------------------------- ShutdownCount ControlSet002\Control\Watchdog\Display LastWrite Time Mon Jan 19 23:03:52 2009 (UTC) ShutdownCount = 218 ---------------------------------------- TimeZoneInformation key ControlSet002\Control\TimeZoneInformation LastWrite Time Sun Nov 2 14:14:54 2008 (UTC) DaylightName -> Eastern Daylight Time StandardName -> Eastern Standard Time Bias -> 300 (5 hours) ActiveTimeBias -> 300 (5 hours) ---------------------------------------- ControlSet002\Control\Terminal Server key, fDenyTSConnections value LastWrite Time Fri Oct 24 20:53:51 2008 (UTC) fDenyTSConnections = 1 ----------------------------------------
Notice in the output we have the last write times for the registry keys as well as the values for those keys. Keep in mind that all of the time stamps listed in the report file are in UTC format.
Using RegRipper under Linux
Using it under Wine
Download Cygwin at: http://www.cygwin.com/
Installing Cygwin:
- wine setup.exe
- On the screen Select Packages
- Select Perl to be installed.
- Now install.
After Cygwin is installed you can start using RegRipper by unzipping the RegRipper download. Then to start it use:
# wine rr.exe
Linux Version
There is also a Linux version available at Daniele Murrau's website: http://brainstretching.blogspot.com/2008/10/linux-e-regripper.html. Download is at: http://rapidshare.com/files/175773378/regripper_linux.tar.gz
To Install:
- Install Perl on your Linux system if it is not already installed
- perl -MCPAN -e shell
- install Parse::Win32Registry
An example of running it:
# ./rip.pl -r /tmp/1registry/system -f system > /tmp/1registry/reports/system2.txt
The only problem I see with the Linux version is that plugins will need to be updated from time to time by downloading the Windows version and copied over to the Linux version.
EDITORS NOTE: Regripper is installed on the latest version of the SIFT workstation by default.
Run from /usr/local/src/regripper # perl rip.pl —r <HIVEFILE> —f <HIVETYPE> [Useful Options] -r Registry hive file to parse <HIVEFILE> -f Use <HIVETYPE> (e.g. sam, security, software, system, ntuser) -l List all plugins
EXAMPLE:
# cd /usr/local/src/regripper # perl rip.pl —r /mnt/hack/casename/Windows/System32/config/SAM —f sam > /images/casename/SAM.txt
No need to download and install anything. This has already been updated into SEC508 Computer Forensics, Investigation, and Response as well.
Don't Forget Tool Testing
Lastly, as with any new tool, take the time and test the tool out to make sure that you are getting accurate data. As a forensics examiner it is your responsibility to ensure that your tools are producing accurate data.
Some questions you should be asking when checking the tool:
- How does the data in the reports compared to what is in the registry? Here we are looking to make sure the data reported is correct with what is in the registry.
- Do other registry tools report different data? Again, checking the accurateness of the data between two different tools.
- If you plan on using the Linux with Wine or Linux version: Do you get the same data whether you run it under Windows, Linux with Wine, or Linux?
Keven Murphy, GCFA Gold #24, is a IT security manager contracted to a Fortune 100 defense contractor.