Wednesday, January 28, 2009

Using RegRipper

I have been doing oodles of analysis lately (6+TB since December!) and have been making heavy, heavy use of registry analysis in each case. For this I've been using Regripper so I figured I would dedicate at least one post to it, and how I make use of it. I also happen to be a firm believer that someone can tell a person to use something 1000 times, but until they actually see it in use or can see the utility in using it, they are less likely to follow your recommendation. With that said, here's a few ways I use regripper.

1) Determine group membership.

Like no other tool I've used to date, the samparse module has saved me hours of analysis time in determining who belonged to what group and what privileges they had. Just this morning I saw some mailing list posts about determining why there was no user account listed for a particular account in the SAM on a windows XP box. The answer was rather simple - The account was a domain account.

Here's an abridged example of what I'm talking about:

User Information
Username: Administrator [500]
Username: Guest [501]
Username: SUPPORT_388945a0 [1002]
Username: SUPPORT_3f151ab9 [1003]
Username: HelpAssistant [1004]
Username: ASPNET [1006]

Group membership information
Group Name: Power Users [1]
Users: S-1-5-21-1461745249-492156796-3006755465-1119

Group Name: Administrators [3]
Users: S-1-5-21-296978250-731684933-3931576523-500

To explain, the top portion are the local user accounts. Under the Group membership section we can see the power users group with a SID/RID combination that doesn't fit with the system. How do I know this? This is easily determined by examination of the Administrators group section of the file. The Administrator account is a well known SID of S-1-5-N-500. As such, I now know the system SID and can say that the account in the power users group is NOT a local account. This can and *should* be correlated to the software hive analysis of the profilelist key and its values that details user account and the SID. When looking at the software hive, you can quickly determine the account name from the SID and the domain name in question.

2) Determine services installed.

Regripper has a great module to determine what services were on the system sorted by last write time. Comparing this to an exemplar list of windows services allows you to a) do data reduction and b) determine what services may have been installed or leveraged by an intruder.

3) Windows Firewall configuration.

I once had an incident where an external consultant claimed the firewall was not disabled by them(which is what caused the incident), however the firewall according to regripper was disabled, and other logs confirmed this with all roads pointing to the consultants.

4) Confirmation of devices in use on the system.

There's been a number of times when I could say to a customer that had been infected with removable media malware "You'll want to make sure you clean up these devices" or identify "rogue" devices that had been used on a system.

5) Determine network configuration.

In a world dominated by a lot of DHCP and variety of network usage, determining the last known IP address used by the system is invaluable, especially when you need to plug the IP address in to various network analysis utilities. I use this (and other markers) to make sure I've got the system I'm supposed to have.

6) Determine user activity.

Naturally there's a bunch of good things here to look at and every investigation includes a look here.

In short there's untold ways to use regripper for analysis. These are just a few small examples of how I've made use of the tool. I don't really know how many people are using it, but there sure are a bunch of people who aren't, and that's just a shame. It's a great tool that simplifies the process of registry analysis and simply stated it saves time. As we all know, time is money and saving both is important to everyone involved in investigations. Don't forget, as I showed in the video I posted some time ago, it can be run in concert with F-response to look at an otherwise "locked" registry hive on a remote system, while it's live.

There's much more I could say about using regripper but I imagine there will be plenty included in Windows Forensic Analysis second edition.


Keydet89 said...

Great post, thanks!!

hogfly said...

The tool is just awesome, so thank you.