Unleashing auto_rip
Tuesday, May 21, 2013
The most common question someone asks me after they find out the work I do for a living is “what tools do you use”. This occurs regardless if the person only knows about digital forensics from TV shows or if they are a fellow practitioner. At meetings, conferences, or passing conversations the question is always one of the initial things someone asks. The question that has yet to be asked and in my opinion is the most important is “what process do you use”. The process is what determines the steps one takes to achieve an end goal; the tools only help complete those steps. Talking about tools outside the context of a process doesn’t provide an accurate picture. A carpenter can talk about his hammer all day long. It won’t mean much until he explains how he uses the hammer to accomplish something. In this post I’m unleashing auto_rip which is a wrapper script for RegRipper. Not only do I talk about what auto_rip is and how to use it but I also explain the process behind it as well.
When I started this blog my main focus was to discuss the “process for investigating security incidents”. My first few posts were about the “initial examination steps I put together to investigate systems”. Ever since those early posts I’ve been honing and improving upon my process. I outlined my methodology on the jIIr methodology webpage and below are some of the steps listed for system examinations.
* Profile the System
- General Operating System Information
- User Account Information
- Software Information
- Networking Information
- Storage Locations Information
* Examine the Programs Ran on the System
* Examine the Auto-start Locations
* Examine Host Based Logs for Activity of Interest
* Examine Web Browsing
* Examine User Profiles of Interest
- User Account Configuration Information
- User Account General Activity
- User Account Network Activity
- User Account File/Folder Access Activity
- User Account Virtualization Access Activity
* Examine Communications
Taking a closer look at the above examination steps it’s easier to see how artifacts can be organized beneath them. Take for example the step “Examine the programs ran on the system”. Beneath this step you can organize different artifacts such as: application compatibility cache, userassist, and muicache. The same concept applies to every step and artifact.
The biggest benefit to approaching examinations in this manner is the increased efficiency and speed. You no longer find yourself jumping around looking at different items on a system. You remain focus on what you need to do and the data you need to examine to accomplish your end goal. When you start looking at all the artifacts within a category you get a more accurate picture and avoid overlooking artifacts when processing a case. The end result is your examinations are more focused, efficient, and timely. This is the concept behind why auto_rip was needed; this is the examination process auto_rip follows.
There is one data source that provides a wealth of artifacts throughout the examination process. This data source is the Windows registry and it contains information for every single examination step I listed above. To parse the information from the registry my tool of choice has been RegRipper. However, I found myself doing one of two things. I was either running all the RegRipper plug-ins according to their registry hives then jumping around the reports depending on the step I was doing. The other method was running select plug-ins with rip (RegRipper command-line tool) based on the step I was performing. Both methods worked but they weren’t as fast as I wanted it to be when doing my examination process. Enter auto_rip.
Auto_rip automates the execution of the RegRipper plug-ins according to my examination process. I reviewed every RegRipper plug-in and organized them beneath the categories. I then looked over my extensive reference sheet to see what plug-ins were needed or had to be updated. Lastly, I wrote auto_rip to execute the majority of the plug-ins based on the categories. As it stands right now, auto_rip is a command-line script and its help menu is listed below:
auto_rip v2013.05.16
auto_rip [-s path] [-n path] [-u path] [-c categories]
-h, --help lists all of the available options
-s, --system path to the folder containing the SAM, Security, Software, and System hives
-n, --ntuser path to the folder containing the NTUSER.DAT hive
-u, --usrclass path to the folder containing the UsrClass.dat hive
-c, --cat specifies the plug-in categories to run. Separate multiple categories with a comma
Supported Categories:
all gets information from all categories
os gets General Operating System Information
users gets User Account Information
software gets Installed Software Information
network gets Networking Configuration Information
storage gets Storage Information
execution gets Program Execution Information
autoruns gets Autostart Locations Information
log gets Logging Information
web gets Web Browsing Information
user_config gets User Account Configuration Information
user_act gets User Account General Activity
user_network gets User Account Network Activity
user_file gets User Account File/Folder Access Activity
user_virtual gets User Account Virtualization Access Activity
comm gets Communication Software Information
Usage:
Extract all information from the SAM, Security, Software, and System hives.
C:\>auto_rip -s H:\Windows\System32\config -c all
Extract file and network access information from NTUSER.DAT hive (Windows XP user profile)
C:\>auto_rip -n "H:\Documents and Settings\Corey" -c user_network,user_file
Extract file access information from NTUSER.DAT and UsrClass.dat hive (Windows 7 profile)
C:\>auto_rip -n H:\Users\Corey -u H:\Users\Corey\AppData\Local\Microsoft\Windows -c user_file
The auto_rip archive contains two files: auto_rip.pl and auto_rip.exe. Auto_rip.pl works with rip.pl while auto_rip.exe works with rip.exe. The script has been successfully tested on Windows and Linux. The auto_rip script needs to be placed in the same directory as rip.pl (or rip.exe). The output reports are placed in a sub-directory named auto_rip-reports as shown below.
Side note: sometimes files named with numbers appear inside the RegRipper folder during execution. These files can be ignored and deleted when the script finishes
Automating RegRipper is not a new concept for me. I first discussed it almost two years ago in the post Obtaining Information about the Operating System. Auto_rip is just taking it to the next level and automating extracting information from the registry according to categories. I’ve been using auto_rip for some time now (initially it was a batch script). It has made my examinations faster; allowing me to produce results faster. How auto_rip is used depends on what you are trying to accomplish but here are a few ways I use it.
One of my initial steps in any examination is to profile the system. To determine basic operating system information such as version, timezone, and installation dates, installed software information, local user accounts, networking configuration, and storage locations. It’s fairly easy to extract all this information with the command below.
C:\>auto_rip -s H:\Windows\System32\config -c os,users,software,network,storage
I tend to look what programs executed on the system and what programs are set to launch automatically when confronted with a system infected with malware. Again it’s fairly easy to do with auto_rip even when a user profile is included.
C:\>auto_rip -s H:\Windows\System32\config -n H:\Users\Corey -u H:\Users\Corey\AppData\Local\Microsoft\Windows –c execution,autoruns
Maybe I’m not interested in the programs that executed and only want to extract the Auto-Start Extensibility Points (ASEPs) from the registry hives. It’s breeze with auto_rip.
C:\>auto_rip -s H:\Windows\System32\config -n H:\Users\Corey -u H:\Users\Corey\AppData\Local\Microsoft\Windows –c autoruns
Another item I’m always interested in is what a user account has been doing on a system. What did they access on the network and what files and folders were opened. Extracting this information may be time consuming with other methods but not with auto_rip.
C:\>auto_rip -n H:\Users\Corey -u H:\Users\Corey\AppData\Local\Microsoft\Windows –c user_act,user_network,user_file
To make things even easier and typically what I end up doing. Just run auto_rip with all the categories selected and review the output reports as needed. It only takes about a minute or two to finish.
C:\>auto_rip -s H:\Windows\System32\config -n H:\Users\Corey -u H:\Users\Corey\AppData\Local\Microsoft\Windows
Auto_rip is an evolving tool. It started out as a batch script (that I didn’t release) and was moved over to Perl to it more versatile. Development is ongoing. My future plans are to extend its functionality and provide a GUI version to go along with the command-line version.
auto_rip download location is here
System Examination Process
When I started this blog my main focus was to discuss the “process for investigating security incidents”. My first few posts were about the “initial examination steps I put together to investigate systems”. Ever since those early posts I’ve been honing and improving upon my process. I outlined my methodology on the jIIr methodology webpage and below are some of the steps listed for system examinations.
* Profile the System
- General Operating System Information
- User Account Information
- Software Information
- Networking Information
- Storage Locations Information
* Examine the Programs Ran on the System
* Examine the Auto-start Locations
* Examine Host Based Logs for Activity of Interest
* Examine Web Browsing
* Examine User Profiles of Interest
- User Account Configuration Information
- User Account General Activity
- User Account Network Activity
- User Account File/Folder Access Activity
- User Account Virtualization Access Activity
* Examine Communications
Examination Steps + Artifacts = Categories
Taking a closer look at the above examination steps it’s easier to see how artifacts can be organized beneath them. Take for example the step “Examine the programs ran on the system”. Beneath this step you can organize different artifacts such as: application compatibility cache, userassist, and muicache. The same concept applies to every step and artifact.
The biggest benefit to approaching examinations in this manner is the increased efficiency and speed. You no longer find yourself jumping around looking at different items on a system. You remain focus on what you need to do and the data you need to examine to accomplish your end goal. When you start looking at all the artifacts within a category you get a more accurate picture and avoid overlooking artifacts when processing a case. The end result is your examinations are more focused, efficient, and timely. This is the concept behind why auto_rip was needed; this is the examination process auto_rip follows.
Unleash the auto_rip
There is one data source that provides a wealth of artifacts throughout the examination process. This data source is the Windows registry and it contains information for every single examination step I listed above. To parse the information from the registry my tool of choice has been RegRipper. However, I found myself doing one of two things. I was either running all the RegRipper plug-ins according to their registry hives then jumping around the reports depending on the step I was doing. The other method was running select plug-ins with rip (RegRipper command-line tool) based on the step I was performing. Both methods worked but they weren’t as fast as I wanted it to be when doing my examination process. Enter auto_rip.
Auto_rip automates the execution of the RegRipper plug-ins according to my examination process. I reviewed every RegRipper plug-in and organized them beneath the categories. I then looked over my extensive reference sheet to see what plug-ins were needed or had to be updated. Lastly, I wrote auto_rip to execute the majority of the plug-ins based on the categories. As it stands right now, auto_rip is a command-line script and its help menu is listed below:
auto_rip v2013.05.16
auto_rip [-s path] [-n path] [-u path] [-c categories]
-h, --help lists all of the available options
-s, --system path to the folder containing the SAM, Security, Software, and System hives
-n, --ntuser path to the folder containing the NTUSER.DAT hive
-u, --usrclass path to the folder containing the UsrClass.dat hive
-c, --cat specifies the plug-in categories to run. Separate multiple categories with a comma
Supported Categories:
all gets information from all categories
os gets General Operating System Information
users gets User Account Information
software gets Installed Software Information
network gets Networking Configuration Information
storage gets Storage Information
execution gets Program Execution Information
autoruns gets Autostart Locations Information
log gets Logging Information
web gets Web Browsing Information
user_config gets User Account Configuration Information
user_act gets User Account General Activity
user_network gets User Account Network Activity
user_file gets User Account File/Folder Access Activity
user_virtual gets User Account Virtualization Access Activity
comm gets Communication Software Information
Usage:
Extract all information from the SAM, Security, Software, and System hives.
C:\>auto_rip -s H:\Windows\System32\config -c all
Extract file and network access information from NTUSER.DAT hive (Windows XP user profile)
C:\>auto_rip -n "H:\Documents and Settings\Corey" -c user_network,user_file
Extract file access information from NTUSER.DAT and UsrClass.dat hive (Windows 7 profile)
C:\>auto_rip -n H:\Users\Corey -u H:\Users\Corey\AppData\Local\Microsoft\Windows -c user_file
The auto_rip archive contains two files: auto_rip.pl and auto_rip.exe. Auto_rip.pl works with rip.pl while auto_rip.exe works with rip.exe. The script has been successfully tested on Windows and Linux. The auto_rip script needs to be placed in the same directory as rip.pl (or rip.exe). The output reports are placed in a sub-directory named auto_rip-reports as shown below.
Side note: sometimes files named with numbers appear inside the RegRipper folder during execution. These files can be ignored and deleted when the script finishes
Different Ways to Use Auto_rip
Automating RegRipper is not a new concept for me. I first discussed it almost two years ago in the post Obtaining Information about the Operating System. Auto_rip is just taking it to the next level and automating extracting information from the registry according to categories. I’ve been using auto_rip for some time now (initially it was a batch script). It has made my examinations faster; allowing me to produce results faster. How auto_rip is used depends on what you are trying to accomplish but here are a few ways I use it.
One of my initial steps in any examination is to profile the system. To determine basic operating system information such as version, timezone, and installation dates, installed software information, local user accounts, networking configuration, and storage locations. It’s fairly easy to extract all this information with the command below.
C:\>auto_rip -s H:\Windows\System32\config -c os,users,software,network,storage
I tend to look what programs executed on the system and what programs are set to launch automatically when confronted with a system infected with malware. Again it’s fairly easy to do with auto_rip even when a user profile is included.
C:\>auto_rip -s H:\Windows\System32\config -n H:\Users\Corey -u H:\Users\Corey\AppData\Local\Microsoft\Windows –c execution,autoruns
Maybe I’m not interested in the programs that executed and only want to extract the Auto-Start Extensibility Points (ASEPs) from the registry hives. It’s breeze with auto_rip.
C:\>auto_rip -s H:\Windows\System32\config -n H:\Users\Corey -u H:\Users\Corey\AppData\Local\Microsoft\Windows –c autoruns
Another item I’m always interested in is what a user account has been doing on a system. What did they access on the network and what files and folders were opened. Extracting this information may be time consuming with other methods but not with auto_rip.
C:\>auto_rip -n H:\Users\Corey -u H:\Users\Corey\AppData\Local\Microsoft\Windows –c user_act,user_network,user_file
To make things even easier and typically what I end up doing. Just run auto_rip with all the categories selected and review the output reports as needed. It only takes about a minute or two to finish.
C:\>auto_rip -s H:\Windows\System32\config -n H:\Users\Corey -u H:\Users\Corey\AppData\Local\Microsoft\Windows
What’s Next
Auto_rip is an evolving tool. It started out as a batch script (that I didn’t release) and was moved over to Perl to it more versatile. Development is ongoing. My future plans are to extend its functionality and provide a GUI version to go along with the command-line version.
auto_rip download location is here
Great post, Corey, and thanks for sharing this tool.
Corey, this is excellent. I had done something similar with RR 2.5. I created a set of custom categories for the plugins for what I felt would assist me and speed up the examination. I then created custom profiles and dumped the plugin name into that profile. I would then select the custom profile from the drop box in the RR gui. I would like to suggest to Harlan and yourself that you take it a step further and consider an "Official Category" for each plugin and include that in the plugin description .csv file. I understand the dynamic nature of the artifacts and potential overlap (malware activity not necessarily user activity, vise versa), however the investigator can make that determination. For example, I have a category called "Malware Assist" when investigating an infected machine. The custom profile has all the plugins I consider will assist me in identifying notable activity quickly. I did my categories because as you mentioned, all the "jumping around" was time consuming and hard to keep track. Anyway, just my 2 cents. In closing...your work and Harlan's is incredible. I consider you both my virtual mentors and push myself everyday as I learn so much from both of you. I am looking forward to the book.
@anon,
I thinking creating wrapper scripts is one of the easiest ways speed up your examinations. The scripts make the tools do what you need them to do which saves time compared to jumping around.
> suggest to Harlan and yourself
Harlan has already added category info to some plugins. Check out some of the TLN plugins for timelines. Good suggest though and its something to think about.
> I have a category called "malware assist
I have a malware category as well. If you look at the auto_rip reports you'll notice it skips a number. That's a place holder for all the RegRipper plugins geared towards malware. I'm still trying to figure out how I want to approach it with auto_rip
Thanks for the comment and it's cool to hear someone else was thinking along the same lines. auto_rip has been a time saver and now I use it on all my cases.
Thank you for releasing auto_rip (and all of the hard work you and Harlan have been putting into the RegRipper cleanup). With the number of RegRipper plugins growing, it makes logical sense to break them up by something other than originating hive. Excellent work matching plugins to process steps!
Excellent work, Corey ! This will definitely be useful to all the DFIR community. Thanks for everything you do for the community by the way ! :-)
where do you download this tool?
thanks
@anon, the tool can be downloaded over at the RegRipper site http://code.google.com/p/regripper/downloads/list
Love this - thanks so much for taking the time to create it.
This is great. Again, 2nd Chad's comments. Thanks for all the work on all the updates to RegRipper and new tools like auto_rip. I think I was on travel when this was released and am catching up on my blog reading now so Im late to the party. But hats off to you and Harlan for your continued work here. Thank you.
Very nice tool. I had some issues because I had spaces in my folder name. The error message was:
"No such file or directory at script/auto_rip-exe.pl line 110". For those who get this error message, use double-quotes around your path name and everything will work fine. Thanks for making a great tool (RR) even better!
Thank you for such a great tool. I am a little late to the forensic
party :) but I am trying to get on the fast track and have run into
the following errors. When attempting to process either the
Usrclass.dat or NTUSER.DAT files I receive the below errors. Both
files are located on a USB thumb drive and processing those same files
using regripper work as designed. Would you happen to know why I am
receiving the errors? As a FYI... I am using your awesome Tr3Secure
Data Collection script to capture the files in question. Thank you in
advance for any assistance that you can provide!
>auto_rip.exe -u e:\registry\test\UsrClass.dat
Invalid argument at script/auto_rip-exe.pl line 128.
>auto_rip.exe -n e:\registry\test\NTUSER.DAT
Invalid argument at script/auto_rip-exe.pl line 120.
@anon,
In your commands drop the ntuser.dat and usrclass.dat. Auto_rip works with folders and not file names. The below command is what you need.
auto_rip.exe -n e:\registry\bjacobs
Corey Harrel,
nice automated tool. As i was playing with auto_rip i placed the system-sam-software hives, the NTuser.dat in de same folder for testing (regripwin7). When i copy out the same files with encase i also put them together in the same folder. (when more users than of course seperate ntuserdat folders.). Now i run
auto_rip -s "C:\regripwin7" -c os,users,software,network,storage,execution,autoruns,log,web,comm -n "C:\regripwin7" -c user_config,user_act,user_network,user_file,user_virtual -u "C:\regripwin7"
i don't have a textfile for the usrclass.dat.
Is there a posability to choose the output path for the reports.
@anon,
In your command you only have to use the -c switch once. Also, if you don't use the -c switch then all plug-ins are released. The version I released after I made this post I added the -r switch to specify the output folder. Here is the link to the latest.
http://journeyintoir.blogspot.com/2014/08/autorip-tr3securecollection-dfs-updates.html
tnx for answering: BUT........
i downloaded the most recent regripper 4-14, auto_rip64 with the .pl file.(your link) Put them in the regripper folder. CLI: regripper>auto_rip64 -s "D:\regripwin7" -c os,users...... -r D:\autoripreport.
Within a split second on screen ----processing the os catogoy ---- (etc)
looking in the report only a header is present. no further data. nothing processed.
What do i do wrong.
@anon,
Trying to communicate through blog comments is not the best way. Look on the about page to get my email address and shoot me an email about what is going on. Email is the better route for trying to identify an issue instead of comments on a blog post
I always look forward to your posts! Outstanding work.