Using RegRipper
Now and again, I get stories from folks who've used RegRipper or the accompanying tools (rip, ripXP) to meet their needs. When that happens, many times I'll ask if I can post their experience and as in this case, I received the "OK":
I would like to share with you the experience of a recent engagement I have done where RegRipper proved very useful. I had to analyze 4 systems and the number of user profiles in each system varied from 6 to 15. For a system I extracted the relevant hive files, renamed them to "username_NTUSER.DAT" and dumped them in one folder. What I wanted was a certain kind of user activity like typed URL, programs opened etc. by all users (on that system) in one file so that I can I can scroll through the file and get a good idea about what happened on that system i.e. what programs have been executed on the sytsem and if I find something interesting then which username does it correspond to.
First I tried using rip.exe with shell wildcard character "*" but I guess RegRipper does not support that. So I wrote a simple perl script and pointed it to the folder where all the NTUSER.DAT files were located. The script ran a particular plugin against all the hive files and then dumped the output to one file. It also added the name of the file before its output to keep track of which username the activity belongs to.
My goal is that the new version of RegRipper will obviate the need to do this sort of thing...that all you'll have to do is mount the image read-only (tools abound for this...), point RegRipper at the mounted image, and let it go.
However, in the meantime, this is one way to handle this sort of issue. No, rip.exe doesn't handle wildcards...sorry about that, but to be honest, I simply cannot keep up with everything people are going to try to do with the tools, and say ahead of time what they will and will not do. More on that later.
Writing a Perl script or a simple batch file is exactly what rip.exe was intended for! I use rip when testing plugins, and ripXP is built on that same functionality. This is also a great example of how automating a previously manual process saves time and effort, without sacrificing accuracy. In fact, accuracy and completeness are maintained, while reducing the resources it takes to perform certain tasks, making the overall analysis much more efficient.
Finally, a reminder to the community...tools like RegRipper are pretty much written in isolation. That is, I originally wrote the tools to meet my own needs, and I update them for the same purpose. Now and again, I do get submissions for improvements, and those get added, depending upon the design requirements. As one guy, I can only do so much. I've said over and over again, if there's a plugin you're interested in, send me a concise description of what you're looking for and a sample hive (emphasis added on "and" because it's not a matter of one or the other). In cases what folks have done this, I've been able to turn around the plugin fairly quickly.
Also, hives with "interesting" stuff are always a nice stocking stuffer, even all year 'round! ;-)
Addendum: I wanted to add a comment I received from David Kovar:
My primary purpose is to get a quick snapshot of how the system was used, but I'll often come back to the report to help guide me in deciding where to go with my analysis. It probably is one of the most heavily used tools in my kit.
Thanks, David!
I would like to share with you the experience of a recent engagement I have done where RegRipper proved very useful. I had to analyze 4 systems and the number of user profiles in each system varied from 6 to 15. For a system I extracted the relevant hive files, renamed them to "username_NTUSER.DAT" and dumped them in one folder. What I wanted was a certain kind of user activity like typed URL, programs opened etc. by all users (on that system) in one file so that I can I can scroll through the file and get a good idea about what happened on that system i.e. what programs have been executed on the sytsem and if I find something interesting then which username does it correspond to.
First I tried using rip.exe with shell wildcard character "*" but I guess RegRipper does not support that. So I wrote a simple perl script and pointed it to the folder where all the NTUSER.DAT files were located. The script ran a particular plugin against all the hive files and then dumped the output to one file. It also added the name of the file before its output to keep track of which username the activity belongs to.
My goal is that the new version of RegRipper will obviate the need to do this sort of thing...that all you'll have to do is mount the image read-only (tools abound for this...), point RegRipper at the mounted image, and let it go.
However, in the meantime, this is one way to handle this sort of issue. No, rip.exe doesn't handle wildcards...sorry about that, but to be honest, I simply cannot keep up with everything people are going to try to do with the tools, and say ahead of time what they will and will not do. More on that later.
Writing a Perl script or a simple batch file is exactly what rip.exe was intended for! I use rip when testing plugins, and ripXP is built on that same functionality. This is also a great example of how automating a previously manual process saves time and effort, without sacrificing accuracy. In fact, accuracy and completeness are maintained, while reducing the resources it takes to perform certain tasks, making the overall analysis much more efficient.
Finally, a reminder to the community...tools like RegRipper are pretty much written in isolation. That is, I originally wrote the tools to meet my own needs, and I update them for the same purpose. Now and again, I do get submissions for improvements, and those get added, depending upon the design requirements. As one guy, I can only do so much. I've said over and over again, if there's a plugin you're interested in, send me a concise description of what you're looking for and a sample hive (emphasis added on "and" because it's not a matter of one or the other). In cases what folks have done this, I've been able to turn around the plugin fairly quickly.
Also, hives with "interesting" stuff are always a nice stocking stuffer, even all year 'round! ;-)
Addendum: I wanted to add a comment I received from David Kovar:
My primary purpose is to get a quick snapshot of how the system was used, but I'll often come back to the report to help guide me in deciding where to go with my analysis. It probably is one of the most heavily used tools in my kit.
Thanks, David!