Harlan Carvey has given us a great tool in RegRipper and it’s undeniable that many examiners have found it to be a useful addition to their toolbox. RegRipper has a very specific purpose – parse the Windows registry. With some modification, we can turn RegRipper into WindowsRipper, an extremely powerful Windows triage tool. Using WindowsRipper we can parse much more than just the registry. Read on and watch the video to see just what WindowsRipper could become.

Adam James, a coworker who did the coding for this project, and I took a look at RegRipper and decided it could be morphed nicely into an amazing triage tool. The first thing Adam did was modify RegRipper to work against a mounted drive. You can read his explanation in the previous post or simply know that his code allows RegRipper to look at a mounted drive, find the Windows installation folder and walk through all of the User profiles found on the drive parsing each NTUSER.dat file. The code was recently posted on the RegRipper.net site.

Using this updated version of RegRipper, we can now ask it parse some other items within the Windows OS. As a proof of concept, we have RegRipper calling Harlan’s script for LNK file parsing, launching an external GUI program, and also executing a plugin that calls a command line function. This last item will let us launch any other program that has a CLI simply by running a RegRipper plugin.

RegRipper’s current architecture is laid out nicely for becoming a triage tool. When you run RegRipper, you can choose a “plugin” for each specific registry hive. Each plugin consists of numerous modules, which can be run on their own using rip.exe. For instance, looking inside the NTUSER.dat plugin, we see that it runs the following modules.

# List of plugins for the Registry Ripper
#————————————-
# NTUSER.DAT
logonusername
acmru
adoberdr
aim
applets
fileexts
comdlg32
compdesc
# The controlpanel plugin is intended for Vista systems only
# User hives from systems prior to Vista will show ‘not found’
controlpanel
#listsoft
#logon_xp_run
mmc
mndmru
mp2
mpmru
mspaper
officedocs
recentdocs
realplayer6
runmru
tsclient
typedurls
muicache
userassist
user_run
vncviewer
winzip
user_win
winrar
wallpaper
vista_bitbucket

Using this architecture, we can build a plugin that consists of modules for a specific purpose. For instance, in addition to incident response work we also receive HR cases that often involve inappropriate use (typically porn). We could build a plugin called “Inappropriate Internet Use” to call modules to parse parts of the registry, internet history, recent internet searches, and create thumbnail pages of the internet cache.  Many of these report items would be created by calling outside executables, bypassing the need for coding a custom module. The plugin would look something like this:

# List of plugins for WindowsRipper
#————————————-
# INAPPROPRIATE INTERNET USE
logonusername
recentdocs
typedurls
recentsearches (calling Nirsoft’s MyLastSearch)
internethistory (calling Pasco)
cachedthumbnails (calling Easy Thumbnails)

Hopefully this example shows the potential that this type of a tool has. We’re even working on a timeline plugin.

With a strong community effort, WindowsRipper could grow based on a large library of custom modules. Users could create their own plugins based on these modules. Some modules could include PhotoRec for file carving, MD5Sum for hashing, many of the Nirsoft.net tools and a host of others. We can launch all of these against a mounted drive and compete with other triage programs such as Drive Prophet.

We recorded a short video of our WindowsRipper proof of concept in action. This video shows RegRipper parsing items other than registry and launching external programs from both the main executable and a custom plugin. View the video here.

What we have done is a rough mockup in just a few hours. The plugins and code we have written isn’t clean enough to be released yet – but it could be. Please let us know your thoughts on turning RegRipper into WindowsRipper. Good idea? Bad idea?

In the past I have been blogging over at Binary Intelligence, a joint blog shared with co-worker Jim O’Gorman. Both Jim and I have been busy with work and other projects and have somewhat outgrown the site. I wanted a place where it would be easier to post content that included videos, custom scripts and code, and other downloadable items that didn’t work out so well on a site hosted by Blogger.

I’ve imported most of the content from Binary Intelligence over to here, but because of the way the import works every post lists me as the author. Keep in mind that anything written prior to this post (May 23rd) may have been written by Jim. Binary Intelligence will most likely be dormant, but may see a post every now and then.

Hopefully this new format works out as well I would like it to.

After the Facebook post last week, much of the backlash consisted of, “Who cares if someone has my IP address? That information is almost always out there.” Well, here is a great example of what someone can do with an IP address.

Here’s something to really think about.. I was able to obtain all of the information in this post for 16 cents and by just using an email and IP address from a piece of spam.

Family members, ages, schools, anniversary dates, marriage lengths, hobbies, interests, phone numbers, addresses, property records, property taxes, pictures of their house, pictures of them, pictures of their children and grandchildren, deeds on their house, bankruptcies, employment history, previous addresses, previous creditors, and bits of social security numbers.

I’m pretty sure I’d be able to fake my way through one of those password reset forms.. you know, where you set up a “secret question” asking what your dogs name was, or where you went to school?

Beyond that, I’m fairly confident that at this point, if I were to call his bank and pretend to be him, I could easily pass when they asked me personal questions.