Endpoint Incident Response using - RegRipper
RegRipper is an open source forensic software application developed by Harlan Carvey and what it does is it extracts data from Windows Registry ranging from user related registry to system registry and etc.
RegRipper has a set of plugins that can be used by the examiner to suit their needs.
In an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the ice burg, a responder must gather evidences, artifacts and data about the compromised systems and having the right tool to execute these actions is a must not only it automates everything but it also help the responder to reduce the time to solve the issue.
In this demo, we will try create a test account named “MaliciousAccount” and use RegRipper to extract the data from SAM hive.
First, extract the data from the Registry using RegRipper the examiner must provide the Registry Hive and the location where the logs will be saved.
Then, if all requirements are provided click Rip! to start the execution.
#note: RegRipper uses a series of plugins to parse information from the Hive file then it logs the output and save in a .txt format
Now, using RegRipper to extract data from our SAM Hive we can see our newly created user account and its particular details that can be used during investigation such as Account Created Date and Time.
Now, Let’s try to see what is inside SOFTWARE Registry Hive and what data is then extracted by RegRipper.
RegRipper parse the Hive and gives us the following details:
- Launched Installer and its details
- Last Logged On
- MSI Package Installed
- Network Cards Details
- Network Profile
- Run Registry key which is a common destination for Persistence
- Scheduled Task under TaskCache Registry Key
#Note: There are a lot of information and for the sake of demo I just cited some of it. Feel free to explore 🙂
Last Hive we’re about to tackle in this demo is SYSTEM Registry Hive, we won’t be able to tackle all in details and it’s up to you to explore and see it for yourself 🙂
By using RegRipper to parse SYSTEM hive it gives us the following details:
- AppCompatCache and this can be used as an artifact for evidence of execution.
- Mounted Device such as External Devices (USB)
- System Services
- ShimCache that can be also used as an artifact for evidence of execution
- USBTor which can be used as an artifact to view history of USB usage inside the system
- AppCompatCache and this can be used as an artifact for evidence of execution.
#Note: For the sake of demo, we only cited the details that are easily understood. We will not cite all information for you to explore its usage. Again, feel free to explore and find what suits your need 🙂
Incident Response with RegRipper by Harlan Carvey
Effectively Using RegRipper 3.0, Harlan Carvey, OSDFCon 2020
What is RegRipper?
RegRipper is an open source forensic software application developed by Harlan Carvey, and what it does is extract data from the Windows Registry, ranging from user-related registry to system registry and etc.
RegRipper has a set of plugins that can be used by the examiner to suit their needs.
Explore the tool and its uses cases here: RegRipper
SAM Hive
System Hive
System Hive
Software Hive
About Harlan
Harlan Carvey is a senior-level cyber security advisor and researcher, poised at the intersection of digital forensics and incident response, threat hunting, and threat intel. The prolific published author (9 titles) wrote the first book of its kind regarding analysis of the Windows Registry. An accomplished public speaker, innovative researcher and analyst.
