Adam James, a coworker who did the coding for this project, and I took a look at RegRipper and decided it could be morphed nicely into an amazing triage tool. The first thing Adam did was modify RegRipper to work against a mounted drive. You can read his explanation in the previous post or simply know that his code allows RegRipper to look at a mounted drive, find the Windows installation folder and walk through all of the User profiles found on the drive parsing each NTUSER.dat file. The code was recently posted on the RegRipper.net site.

Using this updated version of RegRipper, we can now ask it parse some other items within the Windows OS. As a proof of concept, we have RegRipper calling Harlan’s script for LNK file parsing, launching an external GUI program, and also executing a plugin that calls a command line function. This last item will let us launch any other program that has a CLI simply by running a RegRipper plugin.

RegRipper’s current architecture is laid out nicely for becoming a triage tool. When you run RegRipper, you can choose a “plugin” for each specific registry hive. Each plugin consists of numerous modules, which can be run on their own using rip.exe. For instance, looking inside the NTUSER.dat plugin, we see that it runs the following modules.

# List of plugins for the Registry Ripper
#————————————-
# NTUSER.DAT
logonusername
acmru
adoberdr
aim
applets
fileexts
comdlg32
compdesc
# The controlpanel plugin is intended for Vista systems only
# User hives from systems prior to Vista will show ‘not found’
controlpanel
#listsoft
#logon_xp_run
mmc
mndmru
mp2
mpmru
mspaper
officedocs
recentdocs
realplayer6
runmru
tsclient
typedurls
muicache
userassist
user_run
vncviewer
winzip
user_win
winrar
wallpaper
vista_bitbucket

Using this architecture, we can build a plugin that consists of modules for a specific purpose. For instance, in addition to incident response work we also receive HR cases that often involve inappropriate use (typically porn). We could build a plugin called “Inappropriate Internet Use” to call modules to parse parts of the registry, internet history, recent internet searches, and create thumbnail pages of the internet cache.  Many of these report items would be created by calling outside executables, bypassing the need for coding a custom module. The plugin would look something like this:

# List of plugins for WindowsRipper
#————————————-
# INAPPROPRIATE INTERNET USE
logonusername
recentdocs
typedurls
recentsearches (calling Nirsoft’s MyLastSearch)
internethistory (calling Pasco)
cachedthumbnails (calling Easy Thumbnails)

Hopefully this example shows the potential that this type of a tool has. We’re even working on a timeline plugin.

With a strong community effort, WindowsRipper could grow based on a large library of custom modules. Users could create their own plugins based on these modules. Some modules could include PhotoRec for file carving, MD5Sum for hashing, many of the Nirsoft.net tools and a host of others. We can launch all of these against a mounted drive and compete with other triage programs such as Drive Prophet.

We recorded a short video of our WindowsRipper proof of concept in action. This video shows RegRipper parsing items other than registry and launching external programs from both the main executable and a custom plugin. View the video here.

What we have done is a rough mockup in just a few hours. The plugins and code we have written isn’t clean enough to be released yet – but it could be. Please let us know your thoughts on turning RegRipper into WindowsRipper. Good idea? Bad idea?

I’ve imported most of the content from Binary Intelligence over to here, but because of the way the import works every post lists me as the author. Keep in mind that anything written prior to this post (May 23rd) may have been written by Jim. Binary Intelligence will most likely be dormant, but may see a post every now and then.

Hopefully this new format works out as well I would like it to.

This website recently went live and I am still filling in some content. I have a lot planned, so please bear with me while I work through the initial growing pains. Thanks for visiting!

I have planned a series of posts and screencasts based on both incident response and dead-box forensics. There are many triage techniques to discuss that I think many examiners will find useful. The first post should be up soon.

I plan on generating some content that I find interesting, but I’d like to know what others might find useful. If you have any comments or suggestions on how I can make this website better or have specific requests on information you’d like to see, please let me know in blog comments or on the contact page. Thanks!

After the Facebook post last week, much of the backlash consisted of, “Who cares if someone has my IP address? That information is almost always out there.” Well, here is a great example of what someone can do with an IP address.

Here’s something to really think about.. I was able to obtain all of the information in this post for 16 cents and by just using an email and IP address from a piece of spam.

Family members, ages, schools, anniversary dates, marriage lengths, hobbies, interests, phone numbers, addresses, property records, property taxes, pictures of their house, pictures of them, pictures of their children and grandchildren, deeds on their house, bankruptcies, employment history, previous addresses, previous creditors, and bits of social security numbers.

I’m pretty sure I’d be able to fake my way through one of those password reset forms.. you know, where you set up a “secret question” asking what your dogs name was, or where you went to school?

Beyond that, I’m fairly confident that at this point, if I were to call his bank and pretend to be him, I could easily pass when they asked me personal questions.