Category: Registry Analysis

RegRipper3.0

Posted on by randrada

Endpoint Incident Response using - RegRipper

Download RegRipper 3.0
Click here to view RegRipper use cases

RegRipper is an open source forensic software application developed by Harlan Carvey, and what it does is extract data from the Windows Registry, ranging from user-related registry to system registry and etc.

RegRipper has a set of plugins that can be used by the examiner to suit their needs.

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.

Automate Artifact Collection

RegRipper

Posted on by randrada

Endpoint Incident Response using - RegRipper

Download RegRipper 3.0

RegRipper is an open source forensic software application developed by Harlan Carvey and what it does is it extracts data from Windows Registry ranging from user related registry to system registry and etc. 

RegRipper has a set of plugins that can be used by the examiner to suit their needs.

In an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the ice burg, a responder must gather evidences, artifacts and data about the compromised systems and having the right tool to execute these actions is a must not only it automates everything but it also help the responder to reduce the time to solve the issue.

Automate Artifact Collection

In this demo, we will try create a test account named “MaliciousAccount” and use RegRipper to extract the data from SAM hive.

First, extract the data from the Registry using RegRipper the examiner must provide the Registry Hive and the location where the logs will be saved. 

Then, if all requirements are provided click Rip! to start the execution.

#note: RegRipper uses a series of plugins to parse information from the Hive file then it logs the output and save in a .txt format

Now, using RegRipper to extract data from our SAM Hive we can see our newly created user account and its particular details that can be used during investigation such as Account Created Date and Time.

Now, Let’s try to see what is inside SOFTWARE Registry Hive and what data is then extracted by RegRipper.

RegRipper parse the Hive and gives us the following details:

      • Launched Installer and its details
      • Last Logged On 
      • MSI Package Installed  
      • Network Cards Details
      • Network Profile 
      • Run Registry key which is a common destination for Persistence 
      • Scheduled Task under TaskCache Registry Key

#Note: There are a lot of information and for the sake of demo I just cited some of it. Feel free to explore 🙂

Last Hive we’re about to tackle in this demo is SYSTEM Registry Hive, we won’t be able to tackle all in details and it’s up to you to explore and see it for yourself 🙂

By using RegRipper to parse SYSTEM hive it gives us the following details:

      • AppCompatCache and this can be used as an artifact for evidence of execution.
      • Mounted Device such as External Devices (USB)
      • System Services
      • ShimCache that can be also used as an artifact for evidence of execution
      • USBTor which can be used as an artifact to view history of USB usage inside the system

#Note: For the sake of demo, we only cited the details that are easily understood. We will not cite all information for you to explore its usage. Again, feel free to explore and find what suits your need 🙂