Unleashing auto_rip

Tuesday, May 21, 2013 Posted by Corey Harrell
The most common question someone asks me after they find out the work I do for a living is “what tools do you use”. This occurs regardless if the person only knows about digital forensics from TV shows or if they are a fellow practitioner. At meetings, conferences, or passing conversations the question is always one of the initial things someone asks. The question that has yet to be asked and in my opinion is the most important is “what process do you use”. The process is what determines the steps one takes to achieve an end goal; the tools only help complete those steps. Talking about tools outside the context of a process doesn’t provide an accurate picture. A carpenter can talk about his hammer all day long. It won’t mean much until he explains how he uses the hammer to accomplish something. In this post I’m unleashing auto_rip which is a wrapper script for RegRipper. Not only do I talk about what auto_rip is and how to use it but I also explain the process behind it as well.

System Examination Process


When I started this blog my main focus was to discuss the “process for investigating security incidents”. My first few posts were about the “initial examination steps I put together to investigate systems”. Ever since those early posts I’ve been honing and improving upon my process. I outlined my methodology on the jIIr methodology webpage and below are some of the steps listed for system examinations.

     * Profile the System
          - General Operating System Information
          - User Account Information
          - Software Information
          - Networking Information
          - Storage Locations Information
     * Examine the Programs Ran on the System
     * Examine the Auto-start Locations
     * Examine Host Based Logs for Activity of Interest
     * Examine Web Browsing
     * Examine User Profiles of Interest
          - User Account Configuration Information
          - User Account General Activity
          - User Account Network Activity
          - User Account File/Folder Access Activity
          - User Account Virtualization Access Activity
     * Examine Communications

Examination Steps + Artifacts = Categories


Taking a closer look at the above examination steps it’s easier to see how artifacts can be organized beneath them. Take for example the step “Examine the programs ran on the system”. Beneath this step you can organize different artifacts such as: application compatibility cache, userassist, and muicache. The same concept applies to every step and artifact.

The biggest benefit to approaching examinations in this manner is the increased efficiency and speed. You no longer find yourself jumping around looking at different items on a system. You remain focus on what you need to do and the data you need to examine to accomplish your end goal. When you start looking at all the artifacts within a category you get a more accurate picture and avoid overlooking artifacts when processing a case. The end result is your examinations are more focused, efficient, and timely. This is the concept behind why auto_rip was needed; this is the examination process auto_rip follows.

Unleash the auto_rip


There is one data source that provides a wealth of artifacts throughout the examination process. This data source is the Windows registry and it contains information for every single examination step I listed above. To parse the information from the registry my tool of choice has been RegRipper. However, I found myself doing one of two things. I was either running all the RegRipper plug-ins according to their registry hives then jumping around the reports depending on the step I was doing. The other method was running select plug-ins with rip (RegRipper command-line tool) based on the step I was performing. Both methods worked but they weren’t as fast as I wanted it to be when doing my examination process. Enter auto_rip.

Auto_rip automates the execution of the RegRipper plug-ins according to my examination process. I reviewed every RegRipper plug-in and organized them beneath the categories. I then looked over my extensive reference sheet to see what plug-ins were needed or had to be updated. Lastly, I wrote auto_rip to execute the majority of the plug-ins based on the categories. As it stands right now, auto_rip is a command-line script and its help menu is listed below:

auto_rip v2013.05.16

auto_rip [-s path] [-n path] [-u path] [-c categories]

-h, --help lists all of the available options
-s, --system path to the folder containing the SAM, Security, Software, and System hives
-n, --ntuser path to the folder containing the NTUSER.DAT hive
-u, --usrclass path to the folder containing the UsrClass.dat hive
-c, --cat specifies the plug-in categories to run. Separate multiple categories with a comma

Supported Categories:
     all                  gets information from all categories
     os                  gets General Operating System Information
     users              gets User Account Information
     software         gets Installed Software Information
     network          gets Networking Configuration Information
     storage           gets Storage Information
     execution        gets Program Execution Information
     autoruns          gets Autostart Locations Information
     log                 gets Logging Information
     web                gets Web Browsing Information
     user_config      gets User Account Configuration Information
     user_act          gets User Account General Activity
     user_network    gets User Account Network Activity
     user_file          gets User Account File/Folder Access Activity
     user_virtual      gets User Account Virtualization Access Activity
     comm              gets Communication Software Information

Usage:

Extract all information from the SAM, Security, Software, and System hives.
C:\>auto_rip -s H:\Windows\System32\config -c all

Extract file and network access information from NTUSER.DAT hive (Windows XP user profile)
C:\>auto_rip -n "H:\Documents and Settings\Corey" -c user_network,user_file

Extract file access information from NTUSER.DAT and UsrClass.dat hive (Windows 7 profile)
C:\>auto_rip -n H:\Users\Corey -u H:\Users\Corey\AppData\Local\Microsoft\Windows -c user_file

The auto_rip archive contains two files: auto_rip.pl and auto_rip.exe. Auto_rip.pl works with rip.pl while auto_rip.exe works with rip.exe. The script has been successfully tested on Windows and Linux. The auto_rip script needs to be placed in the same directory as rip.pl (or rip.exe). The output reports are placed in a sub-directory named auto_rip-reports as shown below.


Side note: sometimes files named with numbers appear inside the RegRipper folder during execution. These files can be ignored and deleted when the script finishes

Different Ways to Use Auto_rip


Automating RegRipper is not a new concept for me. I first discussed it almost two years ago in the post Obtaining Information about the Operating System. Auto_rip is just taking it to the next level and automating extracting information from the registry according to categories. I’ve been using auto_rip for some time now (initially it was a batch script). It has made my examinations faster; allowing me to produce results faster. How auto_rip is used depends on what you are trying to accomplish but here are a few ways I use it.

One of my initial steps in any examination is to profile the system. To determine basic operating system information such as version, timezone, and installation dates, installed software information, local user accounts, networking configuration, and storage locations. It’s fairly easy to extract all this information with the command below.

C:\>auto_rip -s H:\Windows\System32\config -c os,users,software,network,storage

I tend to look what programs executed on the system and what programs are set to launch automatically when confronted with a system infected with malware. Again it’s fairly easy to do with auto_rip even when a user profile is included.

C:\>auto_rip -s H:\Windows\System32\config -n H:\Users\Corey -u H:\Users\Corey\AppData\Local\Microsoft\Windows –c execution,autoruns

Maybe I’m not interested in the programs that executed and only want to extract the Auto-Start Extensibility Points (ASEPs) from the registry hives. It’s breeze with auto_rip.

C:\>auto_rip -s H:\Windows\System32\config -n H:\Users\Corey -u H:\Users\Corey\AppData\Local\Microsoft\Windows –c autoruns

Another item I’m always interested in is what a user account has been doing on a system. What did they access on the network and what files and folders were opened. Extracting this information may be time consuming with other methods but not with auto_rip.

C:\>auto_rip -n H:\Users\Corey -u H:\Users\Corey\AppData\Local\Microsoft\Windows –c user_act,user_network,user_file

To make things even easier and typically what I end up doing. Just run auto_rip with all the categories selected and review the output reports as needed. It only takes about a minute or two to finish.

C:\>auto_rip -s H:\Windows\System32\config -n H:\Users\Corey -u H:\Users\Corey\AppData\Local\Microsoft\Windows

What’s Next


Auto_rip is an evolving tool. It started out as a batch script (that I didn’t release) and was moved over to Perl to it more versatile. Development is ongoing. My future plans are to extend its functionality and provide a GUI version to go along with the command-line version.
Labels: ,
  1. Great post, Corey, and thanks for sharing this tool.

  2. Anonymous

    Corey, this is excellent. I had done something similar with RR 2.5. I created a set of custom categories for the plugins for what I felt would assist me and speed up the examination. I then created custom profiles and dumped the plugin name into that profile. I would then select the custom profile from the drop box in the RR gui. I would like to suggest to Harlan and yourself that you take it a step further and consider an "Official Category" for each plugin and include that in the plugin description .csv file. I understand the dynamic nature of the artifacts and potential overlap (malware activity not necessarily user activity, vise versa), however the investigator can make that determination. For example, I have a category called "Malware Assist" when investigating an infected machine. The custom profile has all the plugins I consider will assist me in identifying notable activity quickly. I did my categories because as you mentioned, all the "jumping around" was time consuming and hard to keep track. Anyway, just my 2 cents. In closing...your work and Harlan's is incredible. I consider you both my virtual mentors and push myself everyday as I learn so much from both of you. I am looking forward to the book.

  3. @anon,

    I thinking creating wrapper scripts is one of the easiest ways speed up your examinations. The scripts make the tools do what you need them to do which saves time compared to jumping around.

    > suggest to Harlan and yourself

    Harlan has already added category info to some plugins. Check out some of the TLN plugins for timelines. Good suggest though and its something to think about.

    > I have a category called "malware assist

    I have a malware category as well. If you look at the auto_rip reports you'll notice it skips a number. That's a place holder for all the RegRipper plugins geared towards malware. I'm still trying to figure out how I want to approach it with auto_rip

    Thanks for the comment and it's cool to hear someone else was thinking along the same lines. auto_rip has been a time saver and now I use it on all my cases.

  4. Thank you for releasing auto_rip (and all of the hard work you and Harlan have been putting into the RegRipper cleanup). With the number of RegRipper plugins growing, it makes logical sense to break them up by something other than originating hive. Excellent work matching plugins to process steps!

  5. Excellent work, Corey ! This will definitely be useful to all the DFIR community. Thanks for everything you do for the community by the way ! :-)

  6. Anonymous

    where do you download this tool?
    thanks

  7. @anon, the tool can be downloaded over at the RegRipper site http://code.google.com/p/regripper/downloads/list

  8. Love this - thanks so much for taking the time to create it.

  9. This is great. Again, 2nd Chad's comments. Thanks for all the work on all the updates to RegRipper and new tools like auto_rip. I think I was on travel when this was released and am catching up on my blog reading now so Im late to the party. But hats off to you and Harlan for your continued work here. Thank you.

  10. Chris Then

    Very nice tool. I had some issues because I had spaces in my folder name. The error message was:
    "No such file or directory at script/auto_rip-exe.pl line 110". For those who get this error message, use double-quotes around your path name and everything will work fine. Thanks for making a great tool (RR) even better!

  11. Anonymous

    Thank you for such a great tool. I am a little late to the forensic
    party :) but I am trying to get on the fast track and have run into
    the following errors. When attempting to process either the
    Usrclass.dat or NTUSER.DAT files I receive the below errors. Both
    files are located on a USB thumb drive and processing those same files
    using regripper work as designed. Would you happen to know why I am
    receiving the errors? As a FYI... I am using your awesome Tr3Secure
    Data Collection script to capture the files in question. Thank you in
    advance for any assistance that you can provide!

    >auto_rip.exe -u e:\registry\test\UsrClass.dat
    Invalid argument at script/auto_rip-exe.pl line 128.

    >auto_rip.exe -n e:\registry\test\NTUSER.DAT
    Invalid argument at script/auto_rip-exe.pl line 120.

  12. @anon,

    In your commands drop the ntuser.dat and usrclass.dat. Auto_rip works with folders and not file names. The below command is what you need.

    auto_rip.exe -n e:\registry\bjacobs

Post a Comment