Most plugins are intended for specific hives; the data that they collect are only found in one hive. In some cases, the data that you may be looking for may be found in either the Software hive or the NTUSER.DAT hive, with the only difference in extracting the desired data from one hive or the other is a slight variation in the path to that data. In cases such as these, it is trivial to have a plugin that can be run against either hive file and “fail silently” (that is, not report an error) if one path does not succeed in finding the data.

Some plugins are intended to extract very specific data, making them very “tactical,” while others are more general or “strategic” in nature. For example, the regin.pl plugin checks the System hive file for specific values known to be indicative of the Regin malware. The renocide.pl plugin checks the Software hive for a specific key known to be indicative of the Renocide malware. These plugins are very “tactical,” as they check for specific keys or value data. On the other hand, the svc.pl plugin accesses the Services key in the System hive and extracts (and displays) data from all of the subkeys, making no attempt to filter the data.

Some plugins can be run across all hives. For example, the findexes.pl plugin was written to look for binary data types (values with data of type 0 or 3) that start with “MZ”, the first 2 bytes of a Windows portable executable file. The rlo.pl plugin was written to check any hive file for any key and value names that contain the right-to-left override Unicode control character. The fileless.pl plugin was written to check any hive file for indications of the Poweliks malware; throughout the growth of the malware, it employed different persistence mechanisms that spanned multiple hives, while the value data itself remained similar enough to be detected through the use of a simple regular expression.

When you launch the RegRipper GUI, you’ll be able to see the available profiles by exposing the drop-down menu for the “Profile:” listbox, as illustrated in Fig. 5.3.

You can create your own profiles for your own use or to share with others. I know several folks who’ve done this, and I’ve done it upon occasion. I don’t include those in the RegRipper distribution because I’ve found that it tends to confuse some of those who download and run RegRipper; with too many plugins available, there appears to be confuse as to which ones to run. However, we do discuss how to create your own profiles in detail later in this chapter. Creating your own profile is as easy as opening Notepad and typing the name of each plugin that you want to run against a hive file on one line.

I built a capability into rip (RegRipper’s little brother) that allows users to get a quick listing of the available plugins. In order to take advantage of this capability, open a command prompt and navigate to the directory where you copied RegRipper and type the following command:

C:perl
r>rip -l

In this case, we’re using the “compiled” Windows executable for rip.exe, rather than the Perl script (rip.pl) to run the command. I’m assuming that you downloaded RegRipper, but do not have Perl installed, which is perfectly acceptable.

An excerpt of the output of the command appears as follows:

265. typedurls v.20080324 [NTUSER.DAT]
 - Returns contents of user’s TypedURLs key.
266. typedurlstime v.20120613 [NTUSER.DAT]
 - Returns contents of user’s TypedURLsTime key.
267. typedurlstime_tln v.20120613 [NTUSER.DAT]
 - Returns contents of Win8 user’s TypedURLsTime key (TLN).

Again, this is just an excerpt; at the time of this writing, my installation of RegRipper has 315 plugins.

So, what the command does is that it goes to the plugins folder (by default, “plugins”), locates all files that end in “.pl”, and extracts information from them. The information that you see displayed (name, version number, hive that the plugin is intended for, and a description) is all embedded within the plugin file itself. Of course, there may be more extensive information available in the headers or comments of the plugin file, which you can view by opening the plugin file in Notepad or Notepad++.

Another way to run the same command is to add the “-c” switch, which when used with the “-l” switch (for listing the plugins) will format the output as comma-separated values (CSV), suitable for opening in Excel.

C:perl
r>rip –l -c

You’ll notice that the output is displayed on the console. To get this into an Excel file, simply redirect the output to a file as follows:

C:perl
r>rip –l –c > plugins.csv

You can now open the resulting file in Excel, or even Notepad, if you wish. Once you have the output in Excel, you can sort on names, versions, or hive files. Or, you can extend the command line you’re using to produce only a list of plugins intended to be run against the NTUSER.DAT hive file by typing:

C:perl
r>rip –l –c | find “NTUSER” /i > ntuser_plugins.csv

Again, you can open the resulting file in Excel and sort on any of the columns. This is a great way to get a listing of plugins that are run against a particular hive (replace “NTUSER” with any other hive name, or “ALL”) so that you can create your own custom profiles, which will be discussed later in this chapter.

Since I first released RegRipper, my request has always been that if someone has a question about RegRipper or a plugin, ask it. Similarly, if someone needs a plugin modified, or a new one created, the best approach is to contact me with a concise description of what you’re looking for (maybe include some examples) and provide sample data for testing. In some cases, when someone has asked for assistance in that manner, I’ve been able to turn around new or updated plugins in 1–4 hours. I have had people ask me for new plugins but be either unwilling or unable to provide sample data, and I really don’t want to send someone a plugin that I haven’t had an opportunity to test. My goal is to provide a plugin that they can use, not something that the only response is that “it doesn’t work.”

To my knowledge, there are no “hidden” repositories of RegRipper plugins. For the foreseeable future, the RegRipper distribution will continue to be located online at https://github.com/keydet89/RegRipper2.8. Over the years, a few analysts have provided plugins of their own, and others have requested updates to plugins, as well as providing the necessary data to develop and test the plugin. The most notable case for the latter is the ares.pl plugin; I don’t have many opportunities to work cases involving peer-to-peer (P2P) file sharing applications, and a district attorney shared an NTUSER.DAT file with me along with a request to update the ares.pl plugin in order to address the data that they’d seen.

An easy way to see which profiles you have available is to open a command prompt and navigate to the folder that contains the plugins and type the following command:

C:Perl
rplugins>dir /os | more

What this command does is list the files within the folder, using a sort order based on the size of the files, listing the smallest files first. This is an effective means of listing the profiles, as you’ll see, because the profiles are much smaller than the plugins. An excerpt of the output from the above command, run on the system I use to develop RegRipper, appears as follows:

03/29/2013 02:43 PM 77 sam
03/29/2013 02:43 PM 93 usrclass
03/29/2013 02:43 PM 104 security
08/07/2014 04:27 PM 107 all
04/03/2013 09:55 AM 568 system
07/16/2013 06:44 AM 660 software
09/05/2013 07:15 AM 1,259 ntuser
08/21/2014 02:34 PM 1,351 at_tln.pl
07/13/2010 12:45 PM 1,465 skype.pl

Notice that the smallest file is “sam”, which is only 77 bytes in size. Using the “type” command, you can send the contents of the file to the console, and you’ll see what appears as follows:

# 20120528 ∗ALL∗ Plugins that apply on SAM hive, alphabetical order
samparse

As you can see, there really isn’t much to the “sam” profile, as it points to only one plugin, samparse.pl. In fact, the vast majority of the 77 bytes of the file are consumed by the visible comment. That’s right, lines beginning with “#” are comments and as such are not processed as commands by RegRipper.

Similarly, the “all” profile contains the following lines:

# 20120528 ∗ALL∗ Plugins that apply on any HIVES, alphabetical order
baseline
findexes
regtime
rlo
del

The “all” profile contains plugins that can be run against any hive. I know…the file name isn’t entirely imaginative, but it is deceptively descriptive.

Once you’ve created your new profile, be sure to test it by running it against whatever hives you have available. You can do this by closing and relaunching the RegRipper UI and selecting the new profile from the drop-down list. An alternative to this approach is to use rip.exe to run the profile against a hive file using a command similar to the following:

C:perl
r>rip –r d:caseslocal
tuser.dat –f new_ntuser_profile

If you want to see all of the output from the above command, be sure to redirect the output to a file, using the appropriate redirection operator; either “>” to create a new file or “>>” to append the information to a new file.

Corey has long been a proponent for “artifact categories,” which is a method for classifying various artifacts based on their applicability to various aspects of analysis. For example, if your analysis goals are to determine, as best you could, all of the programs that had been run on a computer system, or all of the applications that had been launched by a specific user, there are a number of data sources and artifacts within a Windows system where you can focus your analysis. The “give me everything, including the kitchen sink” approach to analysis can quickly become overwhelming due to the sheer volume of data, and the concept of “artifact categories” allows an analyst to focus on specific data sources and artifacts that will provide the analyst with information pertinent to that analysis. As we saw in chapters Analyzing the System Hives and Case Studies: User Hives, there are several keys and values within the Registry that allow an analyst to focus on specific information about which applications were run on a system, which falls under the “program execution” category. Sometimes, various categories can be very similar; for example, there are “program execution” artifacts that will provide information about applications that a user launched, as well as “autostart” artifacts that will provide information about applications that were automatically launched when the user took a specific action, such as logging into the system, logging out, or running an application.

Corey developed auto_rip to be a means for using RegRipper to get information specific to various artifact categories. His blog post lists the various supported categories and even includes the ability to run RegRipper across multiple hive files and retrieve information that pertains to all of the supported categories. This can be extremely valuable to an analyst who has a very clear picture in their mind regarding what their analysis goals are and what questions they are trying to answer. Corey’s efforts have extended the ability to use RegRipper not in a single step but rather in a quantum leap.

First, check to ensure that you ran the plugin against the appropriate hive file. The plugins are written in Perl, which means that for the most part, they’re text files and can be opened in an editor, such as Notepad (native to Windows installations) or Notepad++ (available online from http://notepad-plus-plus.org/). Near the beginning of each plugin, there’s a Perl hash structure named “%config” that contains metadata for the plugin; within this structure is a value named “hive” that indicates for which hive (or hives, as the case may be) the plugin is intended. This value is illustrated in Fig. 5.4.

Second, check the hive file itself; is it a hive file? Open the hive file in a hex editor and check to see if the first 4 bytes are “regf”, and go to offset 4096 (0x1000 in hexadecimal) and check to see if the first 4 bytes at that offset are “hbin”. Most importantly, check to ensure that the hive file itself is not full of zeros.

If everything looks good and checks out at this point, check the log file. Remember earlier in this chapter (see Fig. 5.2), we discussed the fact that when you run the RegRipper GUI, it creates a log file of activity? Whichever file name you chose for the output file (the file should end with the “.txt” extension) a log file with same name, albeit with the “.log” file extension, will be created in the same folder. If you run into issues with the output of RegRipper, be sure to check this file out. Open it in Notepad or Notepad++ and scroll through it. Do any of the plugins report errors?

Here’s an example of an error I found in a log file:

Tue Mar 3 16:19:06 2015: Error in compatassist:
PLEASE SEE THE PERL2EXE USER MANUAL UNDER “Can’t locate somemodule.pm in @INC”
FOR AN EXPLANATION OF THE FOLLOWING MESSAGE:
Can’t locate pluginscompatassist.pl in @INC (@INC contains: PERL2EXE_STORAGE
C:Perl
r C:UsersharlanAppDataLocalTemp/p2xtmp-1900) at C:Perl
r
r.exe line 274.

So what does all this mean? Well, this one is pretty easy. See the part where it says “Can’t locate pluginscompatassist.pl…?” If I navigate to the plugins folder (via a command prompt) and type “dir compatassist.pl”, I get “File not found”. Basically, what this error means is that a plugin was included in the profile, but the plugin doesn’t exist in the plugins folder. This one is an easy fix…simply open the profile in Notepad and remove the reference to the plugin.

If you still can’t figure out what’s wrong, feel free to contact me. My e-mail address is included in the header of the plugins that I have written (which is most of them), so you should have no trouble reaching me. I tend to discourage folks from publishing their questions and concerns to random websites, for the simple fact that it would be highly unlikely that I would see them. Whatever information you can share (beyond, “it doesn’t work”) about the version of the operating system you were using (as well as the one from which the Registry hive files were extracted), the hive files themselves, the plugins you were running, etc., will only serve to provide me with a better view into what the issue might be and allow me to provide an answer, and possibly even a solution, in a more timely manner.