Wednesday, April 23, 2008

Ripping the Registry Live

So I have been quiet lately and there's been quite a bit happening. First off, Harlan Carvey released RegRipper. This tool is impressive and awfully useful, not to mention NEEDED. If you haven't checked it out, do so. Harlan has said this tool is not designed for live response but I've been dying to get it in to a live response methodology. Well with F-Response I can do it now. Here goes ripping the registry live...sorry for my camtasia-fu or lack of.





A few things if you haven't registered with F-response.

The field kit requires that you put the dongle in the target system - This video starts after I've done that.
The connection is not encrypted - yet.

In addition, there's a new version of regripper out. This is just one of the many tools that F-response can facilitate the use of. See why it's so cool?

EDIT: I put the video up on youtube..blogger's video was just too small.
EDIT: Harlan corrected this statement for me: "Harlan has said this tool is not designed for live response." This should read "RegRipper is NOT intended to be run on live Registry hive files".
EDIT: I realized an error in the previous video. The new one is correct.

4 comments:

H. Carvey said...

Great video, I love it!

For the record, though, I didn't say that RegRipper isn't "for live response"...what I said was that it's not intended for running against live Registry hive files. For example, it's not intended to run against "C:\Documents and Settings\hcarvey\NTUSER.DAT"...

hogfly said...

Harlan, thanks for clarifying.

Anonymous said...

what video...?

hogfly said...

anonymous,
It seems that there were playback issues but it should be fixed now. If not, let me know and I'll take the issue up with youtube customer service.