Blog

Turning RegRipper into WindowsRipper

Posted by:  /  Tags: , , , ,  /  Comments: 12

Harlan Carvey has given us a great tool in RegRipper and it’s undeniable that many examiners have found it to be a useful addition to their toolbox. RegRipper has a very specific purpose – parse the Windows registry. With some modification, we can turn RegRipper into WindowsRipper, an extremely powerful Windows triage tool. Using WindowsRipper we can parse much more than just the registry. Read on and watch the video to see just what WindowsRipper could become.

Adam James, a coworker who did the coding for this project, and I took a look at RegRipper and decided it could be morphed nicely into an amazing triage tool. The first thing Adam did was modify RegRipper to work against a mounted drive. You can read his explanation in the previous post or simply know that his code allows RegRipper to look at a mounted drive, find the Windows installation folder and walk through all of the User profiles found on the drive parsing each NTUSER.dat file. The code was recently posted on the RegRipper.net site.

Using this updated version of RegRipper, we can now ask it parse some other items within the Windows OS. As a proof of concept, we have RegRipper calling Harlan’s script for LNK file parsing, launching an external GUI program, and also executing a plugin that calls a command line function. This last item will let us launch any other program that has a CLI simply by running a RegRipper plugin.

RegRipper’s current architecture is laid out nicely for becoming a triage tool. When you run RegRipper, you can choose a “plugin” for each specific registry hive. Each plugin consists of numerous modules, which can be run on their own using rip.exe. For instance, looking inside the NTUSER.dat plugin, we see that it runs the following modules.

# List of plugins for the Registry Ripper
#————————————-
# NTUSER.DAT
logonusername
acmru
adoberdr
aim
applets
fileexts
comdlg32
compdesc
# The controlpanel plugin is intended for Vista systems only
# User hives from systems prior to Vista will show ‘not found’
controlpanel
#listsoft
#logon_xp_run
mmc
mndmru
mp2
mpmru
mspaper
officedocs
recentdocs
realplayer6
runmru
tsclient
typedurls
muicache
userassist
user_run
vncviewer
winzip
user_win
winrar
wallpaper
vista_bitbucket

Using this architecture, we can build a plugin that consists of modules for a specific purpose. For instance, in addition to incident response work we also receive HR cases that often involve inappropriate use (typically porn). We could build a plugin called “Inappropriate Internet Use” to call modules to parse parts of the registry, internet history, recent internet searches, and create thumbnail pages of the internet cache.  Many of these report items would be created by calling outside executables, bypassing the need for coding a custom module. The plugin would look something like this:

# List of plugins for WindowsRipper
#————————————-
# INAPPROPRIATE INTERNET USE
logonusername
recentdocs
typedurls
recentsearches (calling Nirsoft’s MyLastSearch)
internethistory (calling Pasco)
cachedthumbnails (calling Easy Thumbnails)

Hopefully this example shows the potential that this type of a tool has. We’re even working on a timeline plugin.

With a strong community effort, WindowsRipper could grow based on a large library of custom modules. Users could create their own plugins based on these modules. Some modules could include PhotoRec for file carving, MD5Sum for hashing, many of the Nirsoft.net tools and a host of others. We can launch all of these against a mounted drive and compete with other triage programs such as Drive Prophet.

We recorded a short video of our WindowsRipper proof of concept in action. This video shows RegRipper parsing items other than registry and launching external programs from both the main executable and a custom plugin. View the video here.

What we have done is a rough mockup in just a few hours. The plugins and code we have written isn’t clean enough to be released yet – but it could be. Please let us know your thoughts on turning RegRipper into WindowsRipper. Good idea? Bad idea?

12 Comments

H. Carvey

June 1, 2010

arrow

Great work, guys! Working on a post now to point folks here…

F. Querceto

June 4, 2010

arrow

I think this is a **VERY**good idea that can be really useful for any forensicator.
Hope you will release something soon … maybe some other people colud give help
to make this project go.

Thanks

Matt C

June 4, 2010

arrow

We are working on cleaning up the code, making it more efficient, and setting up a project page. I’ll post updates next week. Thanks for all the interest.

Pasquale

June 4, 2010

arrow

Congrats, it’s a really great job!!!
I’m also willing to give my small contribution with the code if it’s needed :-)

Robert

June 5, 2010

arrow

Great stuff… this works well (or will work well) with a WinFE boot disk for Triage.. I love the fact that your goals seem to be targeting what an Investigator will need on scene.

What I would love is a Script that wiill dig through the file system, find any *.Props files (for P2P investigations), maybe display the GUID in those files, and maybe collect a list of all the MPG/AVI files on the system..all in one quick script.
Great for On-Scene interviews with the subject..

Just a thought..

Thanks for your work!
Rob

Matt C

June 6, 2010

arrow

Hey Rob, thanks for the comments. We’ll take a look and see what P2P parsing items we can come with up. I’ll go search my IACIS archives and see if there is anything pre-made out there we can use.

Camelot

June 9, 2010

arrow

This is great stuff!! I would love to see a plug-in to quickly parse the windows prefetch directory.

Matt C

June 10, 2010

arrow

Thanks for the comments, Camelot. We already have a working plugin for Prefetch and are still getting everything ready for a release.

Debbie

June 14, 2010

arrow

Excellent work! I can’t wait to try this, there is always a need to triage on scene as there are such limited resources “back at the lab”.

João Carvalho

June 15, 2010

arrow

This is fantastic job!! I would love to see a plug-in to quickly parse IM!
thanks for the great work!

Alfonso

July 24, 2011

arrow

Great job!
Is there a place where I can download the WindowsRipper shown in the video?

Sabrina Carliss

August 15, 2011

arrow

Hey Matt,
Really liked the post on Turning WebRipper into WindowsRipper. Would it be OK with you if I used a portion of it and cited back? My writing team should be completing a new blog post on a similar topic in the near future.

Thanks much.


Sabrina K. Carliss
The secret to creativity is knowing how to hide your sources

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment