Over the past couple weeks I have had a growing appreciation for the hard work that Harlan Carvey has put into his Windows Registry parsing tool RegRipper. Although tools such as MiTeC’s RFV are still necessary when reviewing Windows Registry Hives, RegRipper provides an easy means to gather data into a text document for exporting into case notes and reports.
What really makes RegRipper worth while is that Harlan has gone out of his way to create a tool that is easily extensible. RegRipper pulls data out of Windows Registry Hives through the use of plugins. Although he has created many plugins that are already included in RegRipper there are always going to be something else that would be useful to pull and document.
A good example is a recent case I was working on. I needed to know how big a Windows Event Log was set to grow. Through a little research I discovered the very useful Windows article, Eventlog Key, covering the subject. Using the information in this article I was able to pull out the information using RFV. Of course, I had already run RegRipper and determined that this information had not been pulled by an existing plugin. I started thinking that this information would be useful in the future but I didn’t have time to write a plugin so I just exported the data by hand and drove on.
Later, in the same case, it became necessary to look for system and program crash dumps. This meant that I needed to know whether the system had been configured to dump the contents of memory to a file when the operating system detected a crash. Searching the output of RegRipper again showed that this information had not been pulled by a plugin. After a little research I found Overview of memory dump file options for Windows Server 2003, Windows XP, and Windows 2000 and Dr Watson. The first article explains the configuration settings for crash dumps that occur when a Windows system experiences the Blue Screen of Death (BSOD). The second article details the Windows Registry configuration for Dr. Watson which “is a program error debugger that gathers information about your computer when an error (or user-mode fault) occurs with a program.” Although I did have to pull the information by hand, this made me realize the creating a few RegRipper plugins might be worth while for future reports.
So, I did it. I wrote three new plugins titled eventlog.pl, drwatson.pl, and crashdump.pl. These plugins have been posted to the RegRipper Forum (registration required) where you can copy and include them in your plugin directory. For now, if you want to run these plugins you will not be able to use them with the GUI version of the tool as they have only been tested by running them with rip.pl. Your comments, updates, review, etc would be greatly appreciated. Leaving your comments in the RegRipper Forum would be even better as everybody would benefit.
It is my understand that Harlan will include these, or at least his own version of these plugins as he will probably want the formating to remain consistent, in his next release. Hopefully you find them useful.
NOTE: I just spoke with Harlan and there will be no need to update RegRipper to include these plugins. Just grab them from the RegRipper forums, include them in your plugins directory, and you are off to the races.
Formatting, hmmm. That brings up a good question. Should there be an XML output for RegRipper? Not that I know of any tools that would pull it in, but who knows what the future will bring. But, it does sound like a good poll question.
Go forth and do good things,
Don C. Weber
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.