Using RegRipper inside Encase Enterprise


In the earlier discussion I talked about the Registry Parser Tool “RegRipper” that uses plugins to parse through pre-determined registry paths to pull out relevant information.  In that post I was providing information on how to use Regripper against a mounted drive, but doing that takes some additional steps that are not necessary.  Normally to use RegRipper you must locate your registry hives, blue-check within Encase Enterprise and then copy them out to an export folder.  Then launch regripper and browse over to the hive files and run the tool then open the resulting report.  There is another way of using this tool inside of Encase without having to copy anything out of Encase and it is not necessary to mount the image as a mounted drive.  In order to do this you need to use the 3rd party viewer inside of Encase.  I have created a batch file for each current plugin that RegRipper uses and placed those in the RegRipper folder on my hard drive.  I then created a command line inside of Encase telling Encase I want the command prompt to open to “C:\RegRipper” and execute a particular plugin against the highlighted hive file that I have highlighted and creat a report based upon that plugin and place the report in the “C:\Temp\[plugin_name.txt.”

In other words the application path would show “C:\Windows\System32\cmd.exe” and the command lline shows: ” /S /D /K c:\\regripper\\bat_files\\aim.bat [file]

This opens the command prompt  and runs the aim plugin.  The corresponding batch file looks like this:

cd c:\regripper\

rip.exe -r %1 -p aim >> c:|temp\aim.txt

What this allows an examiner to do is run one particular plugin aganist a give hive file without having to copy anything out and without having to run all the plugins for that particular hive file and then dig through a text report for the information you are looking for.  If you feel this is something you would like to try out then please do so and provide some feedback on your thoughts.

I have uploaded a zip file containing all the batch files and the .ini viewer configuration file from Encase to the Document Library at the CSIRT Forum.  Just unzip the file and place the “bat” directory into your regripper folder and viewer.ini file into the “Program Files\Encase\Config\.”  This is setup with the assumption that your regripper folder is in the root of your “C:\” drive and that you have temp directory in the root of your “C:\” drive as well.  If you have those folders someplace else then you will need to update the ini file and the batch file for each plugin.

I am sure there are easier ways of doing this and maybe the scripting can be better but either way leave your comments here.  Also remember if you come up with additional plugins that would be beneficial to the rest of us please pass them along to everyone.

If you would like the batch files and ini files mentioned you can contact me through my email address: of mark.morgan47@gmail.com.   Please put in SUBJECT “Evernote” so I know where it came from.
Advertisements

3 thoughts on “Using RegRipper inside Encase Enterprise

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s