RegRipper

Digital Forensic Wikipedia
둘러보기로 가기 검색하러 가기

소개[편집]

Regripper는 Harlan Carvey에서 개발한 레지스트리 분석 도구로 오픈소스로 제공된다. 최신 업데이트는 2013년 4월이며, 최신 버전은 v2.8이다. 본 항에서는 최신버전인 v2.8버전을 사용하였다. Regripper는 CLI, GUI 모두 지원하며, Windows운영체제 환경에서 사용 가능하다. Regripper는 일반적인 Registry 뷰어와 달리 Registry에서 특정한 정보를 파싱하는 기능 가지고 있으며, 이를 위하여 plugin을 따로 다운로드 하여 설치하여야 한다. Regirpper의 CUI 인터페이스는 [그림 1]과 같으며, GUI 인터페이스는 [그림 2]와 같다.

[그림 1] cmd에서 실행한 GUI 환경의 Regripper
[그림 2] GUI 환경에서 실행한 RegRipper



사용법[편집]

GUI 환경에서 Regripper는 다운로드 한 파일을 압축을 풀어, 폴더 내의 rr.exe를 실행하여 사용할 수 있다. 단, 사용 이전에 rr.exe가 존재하는 폴더 내부에 plugins라는 폴더를 생성하여 plugin을 설치하여야만 실행가능하다. plugin 설치 후 rr.exe를 실행시키면 Profile에서 다음과 같은 Profile을 확인할 수 있다. [그림 3]의 화면에서 Plugin을 SAM으로 설정하고 SAM 파일의 경로를 설정하여 Rip It 버튼을 클릭했을 경우 나타나는 결과는 Report File에 설정한 경로와 같으며 결과 파일을 오픈한 화면은 [그림 4]와 같다.

[그림 3] Plugin 로드 후
[그림 4] rr.exe의 실행 결과 Report File

CUI 환경의 rip.exe의 사용 명령어는 [표 1]과 같다.

[표 1] CUI 환경 rip.exe의 명령어 구조
Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]



rip.exe에서 상기한 rr.exe의 실행 예제와 동일한 실행 결과를 얻을 수 있는 명령어는 [표 2]와 같으며 실행 결과는 [그림 5]와 같다.

[표 2] SAM hive 파싱을 위한
rip.exe의 명령어 예시
rip -r ./SAM -f ./sam                      
[그림 5] rip.exe에서의 SAM hive 파싱 결과



도구 기능[편집]

Regripper가 파싱 가능한 Profile의 목록은 [표 3]과 같다.

[표 3] Regripper
지원 Profile 목록
Profiles
        ntuser      
        sam      
        security      
        software      
        system      
        usrclass      



Regripper가 지원하는 플러그인은 [표 4]와 같다. GUI 환경인 rr.exe에서는 플러그인 개별 사용이 불가능하며, CUI 환경인 rip.exe에서는 개별 플러그인을 명령 옵션으로 지정하여 사용할 수 있다.

[표 4] Regripper의 플러그인 목록
플러그인 대상 하이브 설명
acmru NTUSER.DAT Gets contents of user's ACMru key
adoberdr NTUSER.DAT Gets user's Adobe Reader cRecentFiles values
aim NTUSER.DAT Gets info from the AOL Instant Messenger (not AIM) install
aports NTUSER.DAT Extracts the install path for SmartLine Inc. Active Ports.
appcertdlls System Get entries from AppCertDlls key
appcompatcache System Parse files from System hive Shim Cache
appcompatflags NTUSER.DAT Extracts AppCompatFlags for Windows.
appinitdlls Software Gets contents of AppInit_DLLs value
applets NTUSER.DAT Gets contents of user's Applets key
applets_tln NTUSER.DAT Gets contents of user's Applets key (TLN)
apppaths Software Gets content of App Paths subkeys
apppaths_tln Software Gets content of App Paths subkeys (TLN)
appspecific NTUSER.DAT Gets contents of user's Intellipoint\AppSpecific subkeys
ares NTUSER.DAT Gets contents of user's Software/Ares key
arpcache NTUSER.DAT Retrieves CurrentVersion\App Management\ARPCache entries
assoc Software Get list of file ext associations
auditfail System Get CrashOnAuditFail value
auditpol Security Get audit policy from the Security hive file
autoendtasks NTUSER.DAT Automatically end a non-responsive task
autorun NTUSER.DAT Gets autorun settings
backuprestore System Gets the contents of the FilesNotToSnapshot
banner Software Get HKLM\SOFTWARE.. Logon Banner Values
baseline All Scans a hive file
bho Software Gets Browser Helper Objects from Software hive
bitbucket Software Get HKLM\..\BitBucket keys\values
bitbucket_user NTUSER.DAT TEST - Get user BitBucket values
brisv NTUSER.DAT Detect artifacts of a Troj.Brisv.A infection
btconfig Software Determines BlueTooth devices 'seen' by BroadComm drivers
bthport System Gets Bluetooth-connected devices from System hive
cain NTUSER.DAT Extracts details for Cain & Abel by oxid.it
ccleaner NTUSER.DAT Gets User's CCleaner Settings
clampi NTUSER.DAT TEST - Checks for keys set by Trojan.Clampi PROT module
clampitm NTUSER.DAT Checks for IOCs for Clampi (per Trend Micro)
clsid Software Get list of CLSID/registered classes
cmdproc NTUSER.DAT Autostart - get Command Processor\AutoRun value from NTUSER.DAT hive
cmdproc_tln NTUSER.DAT Autostart - get Command Processor\AutoRun value from NTUSER.DAT hive (TLN)
cmd_shell Software Gets shell open cmds for various file types
cmd_shell_tln Software Gets shell open cmds for various file types
cmd_shell_u USRCLASS.DAT Gets shell open cmds for various file types from USRCLASS.DAT
codeid Software Gets CodeIdentifier DefaultLevel value
comdlg32 NTUSER.DAT Gets contents of user's ComDlg32 key
compatassist NTUSER.DAT Checks user's Compatibility Assistant\Persisted values
compdesc NTUSER.DAT Gets contents of user's ComputerDescriptions key
compname System Gets ComputerName and Hostname values from System hive
controlpanel NTUSER.DAT Look for RecentTask* values in ControlPanel key (Vista)
cpldontload NTUSER.DAT Gets contents of user's Control Panel don't load key
crashcontrol System Get crash control information
ctrlpnl Software Get Control Panel info from Software hive
ddm System Get DDM data from Control Subkey
decaf NTUSER.DAT Extracts the EULA value for DECAF.
defbrowser Software Gets default browser setting from HKLM
dependency_walker NTUSER.DAT Extracts Recent File List for Dependency Walker.
devclass System Get USB device info from the DeviceClasses keys in the System hive
dfrg Software Gets content of Dfrg BootOptim. key
diag_sr System Get Diag\SystemRestore values and data
direct Software Searches Direct* keys for MostRecentApplication subkeys
direct_tln Software Searches Direct* keys for MostRecentApplication subkeys (TLN)
disablelastaccess System Get NTFSDisableLastAccessUpdate value
disablesr Software Gets the value that turns System Restore either on or off
dllsearch System Get crash control information
dnschanger System Check for indication of DNSChanger infection.
domains NTUSER.DAT Gets contents Internet Settings\ZoneMap\Domains key
drivers32 Software Get values from the Drivers32 key
drwatson Software Gets Dr. Watson settings from Software hive
emdmgmt Software Gets contents of EMDMgmt subkeys and values
environment NTUSER.DAT Extracts user's Environment paths from NTUSER.DAT
esent Software Get ESENT\Process key contents
eventlog System Get EventLog configuration info
eventlogs System Gets Event Log settings from System hive
fileexts NTUSER.DAT Get user FileExts values
filehistory NTUSER.DAT Gets filehistory settings
findexes All Scans a hive file looking for binary value data that contains MZ
fw_config System Gets the Windows Firewall config from the System hive
gauss Software Checks Reliability key for TimeStampforUI value
gthist NTUSER.DAT Gets Google Toolbar Search History
gtwhitelist NTUSER.DAT Gets Google Toolbar whitelist values
haven_and_hearth NTUSER.DAT Extracts the username and savedtoken for Haven & Hearth.
hibernate System Check hibernation status
ide System Get IDE device info from the System hive file
iejava NTUSER.DAT Checks NTUSER for status of kill bit for IE Java ActiveX control
ie_main NTUSER.DAT Gets values beneath user's Internet Explorer\Main key
ie_settings NTUSER.DAT Gets important user IE settings
ie_version Software Get IE version and build
imagedev System
imagefile Software Checks IFEO subkeys for Debugger & CWDIllegalInDllSearch values
init_dlls Software Check for odd **pInit_Dlls keys
inprocserver Software Checks CLSID InProcServer32 values for indications of ZeroAccess infection
inprocserver_u USRCLASS.DAT Checks CLSID InProcServer32 values for indications of ZeroAccess infection
installedcomp Software Get info about Installed Components/StubPath
installer Software Determines product install information
internet_explorer_cu NTUSER.DAT Get HKCU information on Internet Explorer
internet_settings_cu NTUSER.DAT Get HKCU information on Internet Settings
itempos NTUSER.DAT Shell/Bags/1/Desktop ItemPos* value parsing; Win7 NTUSER.DAT hives
javafx NTUSER.DAT Gets contents of user's JavaFX key
javasoft Software Gets contents of JavaSoft/UseJava2IExplorer value
kb950582 Software KB950582 - Gets autorun settings from HKLM hive
kbdcrash System Checks to see if system is config to crash via keyboard
landesk Software Get list of programs monitored by LANDESK - Software hive
landesk_tln Software Get list of programs monitored by LANDESK from Software hive
legacy System Lists LEGACY_* entries in Enum\Root key
legacy_tln System Lists LEGACY_* entries in Enum\Root key in TLN format
licenses Software Get contents of HKLM/Software/Licenses key
listsoft NTUSER.DAT Lists contents of user's Software key
liveContactsGUID NTUSER.DAT Gets user Windows Live Messenger GUIDs
load NTUSER.DAT Gets load and run values from user hive
logonusername NTUSER.DAT Get user's Logon User Name value
lsasecrets Security TEST - Get update times for LSA Secrets
lsa_packages System Lists various *Packages key contents beneath LSA key
macaddr Software
menuorder NTUSER.DAT Gets contents of user's MenuOrder subkeys
mmc NTUSER.DAT Get contents of user's MMC\Recent File List key
mmc_tln NTUSER.DAT Get contents of user's MMC\Recent File List key (TLN)
mmo NTUSER.DAT Checks NTUSER for Multimedia\Other values [malware]
mndmru NTUSER.DAT Get contents of user's Map Network Drive MRU
mndmru_tln NTUSER.DAT Get user's Map Network Drive MRU (TLN)
mountdev System Return contents of System hive MountedDevices key
mountdev2 System Return contents of System hive MountedDevices key
mp2 NTUSER.DAT Gets user's MountPoints2 key contents
mp3 NTUSER.DAT Gets user's MountPoints2 key contents
mpmru NTUSER.DAT Gets user's Media Player RecentFileList values
mrt Software Check to see if Malicious Software Removal Tool has been run
msis Software Determine MSI packages installed on the system
mspaper NTUSER.DAT Gets images listed in user's MSPaper key
muicache NTUSER.DAT USRCLASS.DAT
nero NTUSER.DAT Gets contents of Ahead\Nero Recent File List subkeys
netassist NTUSER.DAT Check for Firefox Extensions.
network System Gets info from System\Control\Network GUIDs
networkcards Software Get NetworkCards
networklist Software Collects network info from Vista+ NetworkList key
networklist_tln Software Collects network info from NetworkList key (TLN)
networkuid Software Gets Network key UID value
nic System Gets NIC info from System hive
nic2 System Gets NIC info from System hive
nic_mst2 System Gets NICs from System hive; looks for MediaType = 2
nolmhash System Gets NoLMHash value
ntusernetwork NTUSER.DAT Returns contents of user's Network subkeys
odysseus NTUSER.DAT Extract registry keys for Odysseus by bindshell.net.
officedocs NTUSER.DAT Gets contents of user's Office doc MRU keys
officedocs2010 NTUSER.DAT Gets user's Office 2010 doc MRU values
officedocs2010_tln NTUSER.DAT Gets user's Office 2010 doc MRU values; TLN output
oisc NTUSER.DAT Gets contents of user's Office Internet Server Cache
olsearch NTUSER.DAT Gets contents of user's OutLook Searches
osversion NTUSER.DAT Checks for OSVersion value
osversion_tln NTUSER.DAT Checks for OSVersion value (TLN)
outlook NTUSER.DAT Gets user's Outlook settings
outlook2 NTUSER.DAT Gets MAPI (Outlook) settings *BETA*
pagefile System Get info on pagefile(s)
phdet System Check for a Phdet infection
photos USRCLASS.DAT Shell/BagMRU traversal in Win7 USRCLASS.DAT hives
polacdms Security Get local machine SID from Security hive
policies_u NTUSER.DAT Get values from the user's Policies key
prefetch SYSTEM Gets the the Prefetch Parameters
printermru NTUSER.DAT Gets user's Printer Wizard MRU listing
printers NTUSER.DAT Get user's printers
privoxy NTUSER.DAT Extracts the install path for Privoxy.
product Software Get installed product info
productpolicy System Parse ProductPolicy value (Vista & Win2008 ONLY)
producttype System Queries System hive for Windows Product info
profilelist Software Get content of ProfileList key
proxysettings NTUSER.DAT Gets contents of user's Proxy Settings
publishingwizard NTUSER.DAT Extract AddNetPlace\LocationMRU for Microsoft Publishing Wizard
putty NTUSER.DAT Extracts the saved SshHostKeys for PuTTY.
rdphint NTUSER Gets hosts logged onto via RDP and the Domain\Username
rdpport System Queries System hive for RDP Port
realplayer6 NTUSER.DAT Gets user's RealPlayer v6 MostRecentClips(Default) values
realvnc NTUSER.DAT Gets user's RealVNC MRU listing
recentdocs NTUSER.DAT Gets contents of user's RecentDocs key
regback Software List all tasks along with logfile name and last written date/time
regtime All Dumps entire hive - all keys sorted by LastWrite time
regtime_tln All Dumps entire hive - all keys sorted by LastWrite time
removdev Software Parses Windows Portable Devices key (Vista)
renocide Software Check for Renocide malware
rootkit_revealer NTUSER.DAT Extracts the EULA value for Sysinternals Rootkit Revealer.
routes System Get persistent routes
runmru NTUSER.DAT Gets contents of user's RunMRU key
runmru_tln NTUSER.DAT Gets contents of user's RunMRU key (TLN)
safeboot System Check SafeBoot entries
samparse SAM Parse SAM file for user & group mbrshp info
samparse_tln SAM Parse SAM file for user acct info (TLN)
schedagent Software Get SchedulingAgent key contents
secctr Software Get data from Security Center key
securityproviders System Gets SecurityProvider value from System hive
services System Lists services/drivers in Services key by LastWrite times
sevenzip NTUSER.DAT Gets records of histories from 7-Zip keys
sfc Software Get SFC values
shares System Get list of shares from System hive file
shc NTUSER.DAT Gets SHC entries from user hive
shellbags USRCLASS.DAT Shell/BagMRU traversal in Win7 USRCLASS.DAT hives
shellbags_tln USRCLASS.DAT Shell/BagMRU traversal in Win7 USRCLASS.DAT hives
shellexec Software Gets ShellExecuteHooks from Software hive
shellext Software Gets Shell Extensions from Software hive
shellfolders NTUSER.DAT Retrieve user Shell Folders values
shelloverlay Software Gets ShellIconOverlayIdentifiers values
shutdown System Gets ShutdownTime value from System hive
shutdowncount System Retrieves ShutDownCount value
skype NTUSER.DAT Gets data user's Skype key
snapshot Software Check ActiveX comp kill bit; Access Snapshot
snapshot_viewer NTUSER.DAT Extracts Recent File List for Microsoft Snapshot Viewer.
soft_run Software [Autostart] Get autostart key contents from Software hive
spp_clients Software Determines volumes monitored by VSS
sql_lastconnect Software MDAC cache of successful connections
srun_tln Software [Autostart] Get autostart key contents from Software hive (TLN)
ssh_host_keys NTUSER.DAT Extracts Putty/WinSCP SSH Host Keys
ssid Software Get WZCSVC SSID Info
startmenuinternetapps_cu NTUSER.DAT Start Menu Internet Applications info current user
startmenuinternetapps_lm SOFTWARE Start Menu Internet Applications info
startpage NTUSER.DAT Gets contents of user's StartPage key
stillimage System Get info on StillImage devices
streammru NTUSER.DAT streammru
streams NTUSER.DAT Parse Streams and StreamsMRU entries
svc System Lists services/drivers in Services key by LastWrite times (short format)
svc2 System Lists Services key contents by LastWrite times (CSV)
svcdll System Lists Services keys with ServiceDll values
svchost Software Get entries from SvcHost key
svc_plus System Lists services/drivers in Services key by LastWrite times in a short format with warnings for type mismatches
sysinternals NTUSER.DAT Checks for SysInternals apps keys
sysinternals_tln NTUSER.DAT Checks for SysInternals apps keys (TLN)
systemindex Software Gets systemindex\..\Paths info from Windows Search key
termcert System Gets Terminal Server certificate
termserv System Gets Terminal Server values from System hive
timezone System Get TimeZoneInformation key contents
tracing Software Gets list of apps that can be traced
tracing_tln Software Gets list of apps that can be traced (TLN)
trappoll Software Get TrapPollTimeMilliSecs value
trustrecords NTUSER.DAT Gets user's Office 2010 TrustRecords values
trustrecords_tln NTUSER.DAT Gets user's Office 2010 TrustRecords values; TLN output
tsclient NTUSER.DAT Displays contents of user's Terminal Server Client\Default key
tsclient_tln NTUSER.DAT Displays contents of user's Terminal Server Client key (TLN)
typedpaths NTUSER.DAT Gets contents of user's typedpaths key
typedpaths_tln NTUSER.DAT Gets contents of user's typedpaths key (TLN)
typedurls NTUSER.DAT Returns contents of user's TypedURLs key.
typedurlstime NTUSER.DAT Returns contents of user's TypedURLsTime key.
typedurlstime_tln NTUSER.DAT Returns contents of Win8 user's TypedURLsTime key (TLN).
typedurls_tln NTUSER.DAT Returns MRU for user's TypedURLs key (TLN)
uac Software Get Select User Account Control (UAC) Values from HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem
uninstall Software Gets contents of Uninstall keys (64- & 32-bit) from Software hive
uninstall_tln Software Gets contents of Uninstall keys (64- & 32-bit) from Software hive (TLN format)
unreadmail NTUSER.DAT Gets contents of Unreadmail key
urlzone Software URLZONE detection
urun_tln NTUSER.DAT [Autostart] Get autostart key contents from NTUSER.DAT hive
usb System Get USB device info
usbdevices System Parses Enum\USB key for devices
usbstor System Get USBStor key info
usbstor2 System Get USBStor key info; csv output
usbstor3 System Get USBStor key info
userassist NTUSER.DAT Displays contents of UserAssist subkeys
userassist_tln NTUSER.DAT Displays contents of UserAssist subkeys in TLN format
userinfo NTUSER.DAT Gets contents of MS Office UserInfo values
userlocsvc NTUSER.DAT Displays contents of User Location Service\Client key
user_run NTUSER.DAT [Autostart] Get autostart key contents from NTUSER.DAT hive
user_win NTUSER.DAT
virut Software Detect Virut artifacts
vista_bitbucket NTUSER.DAT Get BitBucket settings from Vista via NTUSER.DAT
vmplayer NTUSER.DAT Extracts full filepath for recent VMware Player VM images.
vmware_vsphere_client NTUSER.DAT Extract recent connections list for VMware vSphere Client.
vnchooksapplicationprefs NTUSER.DAT Get VNCHooks Application Prefs list
vncviewer NTUSER.DAT Get VNCViewer system list
volinfocache Software Gets VolumeInfoCache from Windows Search key
wallpaper NTUSER.DAT Parses Wallpaper MRU Entries
warcraft3 NTUSER.DAT Extract usernames for Warcraft 3.
wbem Software Get contents of WBEM\WDM key
winbackup Software Get Windows Backup
winlivemail NTUSER.DAT Get & display the contents of the Windows Live Mail key
winlogon Software Get values from the WinLogon key
winlogon_tln Software Alerts on values from the WinLogon key (TLN)
winlogon_u NTUSER.DAT Get values from the user's WinLogon key
winnt_cv Software Get & display the contents of the Windows NT\CurrentVersion key
winrar NTUSER.DAT Get WinRAR\ArcHistory entries
winrar_tln NTUSER.DAT Get WinRAR\ArcHistory entries (TLN)
winscp_sessions NTUSER.DAT Extracts WinSCP stored session data
winver Software Get Windows version
winvnc NTUSER.DAT Extracts the encrypted password for WinVNC.
winzip NTUSER.DAT Get WinZip extract and filemenu values
win_cv Software Get & display the contents of the Windows\CurrentVersion key
wordwheelquery NTUSER.DAT Gets contents of user's WordWheelQuery key
wpdbusenum System Get WpdBusEnumRoot subkey info
xpedition System Queries System hive for XP Edition info
yahoo_cu NTUSER.DAT Yahoo Messenger parser
yahoo_lm SOFTWARE Yahoo Messenger parser



rip.exe의 명령어 옵션은 [표 5]와 같다.

[표 5] rip.exe의 명령어 옵션 리스트
옵션 설명
-r parsing 대상 hive 파일을 선정
-g hive 파일을 자동으로 추정함
-f 플러그인 파일 경로를 특정
-p 특정 플러그인만을 사용함
-l 모든 플러그인을 목록을 출력
-c -l과 함께 쓰이며 출력 결과를 CSV 포맷으로 출력
-s 서버 명을 특정
-u 사용자 명을 특정
-h 도움말 출력



제한 사항[편집]

Regripper는 상기한 [그림 4]와 [그림 5]에서 확인할 수 있듯이, 한글 출력을 지원하지 않는다. 또한 대부분의 지원 플러그인이 2012년 이전에 작성된 것으로 플러그인의 사용 대상이 업데이트 된 경우 제대로 작업 결과를 수행하지 못하는 문제가 존재할 수 있다. 레지스트리 Hive을 자체적으로 수집하는 기능 또한 존재하지 않는다.

수사 활용 방안[편집]

Regripper는 수집된 Windows가 영문판일 경우에, GUI 또는 CUI 환경에서 레지스트리의 내용 중 플러그인이 지원하는 세부적인 아티팩트를 찾고자 할 때 사용할 수 있는 도구로서 활용할 수 있다.