Thoughts on RegRipper Support
One of the things I've considered recently is taking a more active role in supporting RegRipper, particularly when it comes to plugins.
When I first released RegRipper in 2009 or so, my hope was that it would be completely supported by community. For a while there, we saw some very interesting things being done, such as RegRipper being added as a viewer to EnCase. Over the past year or so, largely thanks to the wonderful and greatly appreciated support of folks like Brett Shavers and Corey Harrell, RegRipper has sort of taken off.
From the beginning, I think that the message about RegRipper has been largely garbled, confused, or simply misunderstood. As such, I'd like to change that.
When someone has wanted a plugin created or modified, I've only ever asked for two things...a concise description of what you're looking for, and a sample hive. Now, over the past 3 or so years, I've received requests for plugins, accompanied by either a refusal to provide a sample hive, or the sample hive simply being absent. For those of you who have provided a sample hive, you know that I have treated that information in the strictest confidence and wiped the hive or hives after usage. In addition, rather then being subjected to a barrage of emails to get more information about what you are looking for, those of you who have provided sample hives have also received the requested plugin in very short order, often as quickly as within the hour.
One of the things I've tried to do is be responsive to the community regarding needs. For example, I provided a means for listing available plugins as part of the CLI component of RegRipper (i.e., rip.pl/.exe). As this is CLI, some folks wanted a GUI method for doing the same thing, so I wrote the Plugin Browser. Even so, to this day, I get questions about the available plugins; I was recently asked if two plugins were available, one that was originally written almost 3 years ago, and one what I'd written two months ago.
I'm not trying to call anyone out, but what I would like to know is, what is a better means for getting information out there and in the hands of those folks using RegRipper?
Recently, some confusion in the RegRipper message became very apparent to me, when information that another Perl script that I had released was a RegRipper plugin was shared across the community. It turned out that, in fact, that script had nothing whatsoever to do with either RegRipper or the Registry.
Speaking of plugins, there are a number of folks who've taken it upon themselves to write RegRipper plugins of their own, and share them with the public, and for that, I salute you. Would it be useful to have a testing and review mechanism, or at least identify the state (testing, dev, beta, final) of plugins?
Finally, I've written a good number of plugins myself that I haven't yet provided to the general public. I have provided many of those plugins to a couple of folks within the community who I know would (and have) use them, and provide feedback. In some cases, I haven't released the plugins because of the amount of confusion there seems to be with regards to what a plugin is and how it's used by RegRipper; i.e., as it's currently written, you can't just drop a plugin in the RegRipper plugins directory and have it run by RegRipper (or via rip.pl/.exe). Some effort is required on the part of the analyst to include plugins in a profile in order to have it run by RegRipper.
As such, I've considered becoming more active in getting the message about RegRipper out to the DFIR community as a whole, and I'd like to know, from the folks who use RegRipper, how would we/I do a better job with RegRipper, as well as in supporting it?
When I first released RegRipper in 2009 or so, my hope was that it would be completely supported by community. For a while there, we saw some very interesting things being done, such as RegRipper being added as a viewer to EnCase. Over the past year or so, largely thanks to the wonderful and greatly appreciated support of folks like Brett Shavers and Corey Harrell, RegRipper has sort of taken off.
From the beginning, I think that the message about RegRipper has been largely garbled, confused, or simply misunderstood. As such, I'd like to change that.
When someone has wanted a plugin created or modified, I've only ever asked for two things...a concise description of what you're looking for, and a sample hive. Now, over the past 3 or so years, I've received requests for plugins, accompanied by either a refusal to provide a sample hive, or the sample hive simply being absent. For those of you who have provided a sample hive, you know that I have treated that information in the strictest confidence and wiped the hive or hives after usage. In addition, rather then being subjected to a barrage of emails to get more information about what you are looking for, those of you who have provided sample hives have also received the requested plugin in very short order, often as quickly as within the hour.
One of the things I've tried to do is be responsive to the community regarding needs. For example, I provided a means for listing available plugins as part of the CLI component of RegRipper (i.e., rip.pl/.exe). As this is CLI, some folks wanted a GUI method for doing the same thing, so I wrote the Plugin Browser. Even so, to this day, I get questions about the available plugins; I was recently asked if two plugins were available, one that was originally written almost 3 years ago, and one what I'd written two months ago.
I'm not trying to call anyone out, but what I would like to know is, what is a better means for getting information out there and in the hands of those folks using RegRipper?
Recently, some confusion in the RegRipper message became very apparent to me, when information that another Perl script that I had released was a RegRipper plugin was shared across the community. It turned out that, in fact, that script had nothing whatsoever to do with either RegRipper or the Registry.
Speaking of plugins, there are a number of folks who've taken it upon themselves to write RegRipper plugins of their own, and share them with the public, and for that, I salute you. Would it be useful to have a testing and review mechanism, or at least identify the state (testing, dev, beta, final) of plugins?
Finally, I've written a good number of plugins myself that I haven't yet provided to the general public. I have provided many of those plugins to a couple of folks within the community who I know would (and have) use them, and provide feedback. In some cases, I haven't released the plugins because of the amount of confusion there seems to be with regards to what a plugin is and how it's used by RegRipper; i.e., as it's currently written, you can't just drop a plugin in the RegRipper plugins directory and have it run by RegRipper (or via rip.pl/.exe). Some effort is required on the part of the analyst to include plugins in a profile in order to have it run by RegRipper.
As such, I've considered becoming more active in getting the message about RegRipper out to the DFIR community as a whole, and I'd like to know, from the folks who use RegRipper, how would we/I do a better job with RegRipper, as well as in supporting it?