Monday, December 22, 2008

Using RegRipper

Ever wonder how to use RegRipper for analysis? After all, the tool pulls data from Registry hive files, and while there is a considerable amount of data reduction, what do you do with the data you get?

Let's look at an example. Say that you've got an issue going on with some systems, and you (a) acquire an image of a system, (b) use FTK Imager to get copies of just the Registry hive files from a live system, or (c) connect to the system via F-Response...at that point, you run RegRipper, or just rip.exe with one of the plugins to extract information from the Services key in the System hive file. If you happen to see Ndisprot listed as a service, you may have found a Trojan.Flush.M infection.

*Note: Trojan.Flush.M is apparently also known as "DNSChanger", and this blog post refers to some excellent resources for checking your network for rogue DHCP servers, including MS's own dhcploc utility.

Also, RegRipper can be used to check for the existence of patches and updates, such as KB958644, which addresses the Server service vulnerability from MS08-067.

Check out the RegRipper.net forums for some new plugins uploaded by Don Weber.

How do you use RegRipper?

2 comments:

Anonymous said...

SIFT v1.2 was just released... It includes RegRipper perl scripts, which now supports integrating registry data with the TSK's body file for timeline analysis. I think that's pretty cool. Now I'd just like to see an easy way to also include the Event Logs in that timeline.

H. Carvey said...

To be clear, RegRipper is included, but regtime.pl is/maybe a separate script all together. A while back I provided Rob Lee w/ a copy of regtime.pl, and he may have modified it to output the data in TSK body file format; this would be similar to Michael Cloppert's ex-tip tool.

Again, I don't think that the regtime.pl that Rob has added to SIFT is part of RegRipper.

Including Event Log entries is pretty trivial, given a good deal of the code that's out there...I guess my question would be, does the Event Log format necessarily and easily follow the Dr. Carrier's body file format?