By now I am sure everyone has heard about the registry parsing tool RegRipper that uses plugins to parse through predetermined registry paths to pull out relevant information. Normally to use RegRipper you must locate your registry hives, blue-check within Encase Enterprise and then copy them out to an export folder. Then launch Regripper and browse over to the hive files and run the tool then open the resulting report. There is another way of using this tool inside of Encase without having to copy anything out of Encase and it is not necessary to mount the image as a mounted drive. In order to do this you need to use the 3rd party viewer inside of Encase. I have created a batch file for each current plugin that RegRipper uses and placed those in the RegRipper folder on my hard drive. I then created a command line inside of Encase telling Encase I want the command prompt to open to “C:\RegRipper” and execute a particular plugin against the highlighted hive file that I have highlighted and create a report based upon that plugin and place the report in the “C:\Temp\[plugin_name.txt.”
In other words the application path would show “C:\Windows\System32\cmd.exe” and the command line shows: ” /S /D /K c:\\regripper\\bat_files\\aim.bat [file] This opens the command prompt and runs the aim plugin. The corresponding batch file looks like this:
rip.exe -r %1 -p aim >> c:\temp\aim.txt
What this allows an examiner to do is run one particular plugin against a given hive file without having to copy anything out and without having to run all the plugins for that particular hive file and then dig through a text report for the information you are looking for. If you feel this is something you would like to try out then please do so and provide some feedback on your thoughts.
I have uploaded all the batch files and the .ini viewer configuration file from Encase to the following link: http://www.box.net/shared/7pppe36n5g.
Place the “bat” files in a directory call “Bats” into your regripper folder and place the viewer.ini file into the “Program Files\Encase\Config\.” This is setup with the assumption that your Regripper folder is in the root of your “C:\” drive and that you have temp directory in the root of your “C:\” drive as well. If you have those folders someplace else then you will need to update the ini file and the batch file for each plugin.
I am sure there are easier ways of doing this and maybe the scripting can be better but either way leave your comments here. Also remember if you come up with additional plugins that would be beneficial to the rest of us please pass them along to everyone.
If you would like the batch files and ini files mentioned you can contact me through my email address: of firstname.lastname@example.org.