Scribd
Upload
45 views

Lab 16

Uploaded by

Ngô Hải Anh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
45 views

Lab 16

Uploaded by

Ngô Hải Anh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

LAB16: Registry Forensics with RegRipperPlug-ins

Registry:

- Introduction to the window registry.


- Introduction to RegRipper.
- Analysis of Registry files with RegRipper.

Introduction to the window registry


The window registry is a hierarchical database that stores the configuration setting
of the OS, apps, users, and devices.
It is a valuable source of the information about the system, the installed and
executed programs, the users’ activities and connected devices.
Registry artifacts could also reveal the presence of malware.

The registry is a composed of binary data files also called “hive”.


The main registry hives are SAM, Security, Software, and system.
- They are located under the C:\windows\system32\config
- There are also specific user’s hives NTUSER.DAT, and URSCLASS.DAT
- These are located under the user’s profile
- The SAM hive contains the user’s settings and hashed passwords.
- Security contains the system security settings.
- Software stores the window and program configuration.
- System stores the information about the system and the connected devices.
- The registry has two basic elements: keys and values.
- Keys are containers that could include other keys and/or values.
- Values are defined by a name, a type and the associated data value.
- Most important root key is the HKLY_LOCAL_MACHINE where the main
registry hives are mapped as subkeys.
Introduction to RegRipper
- RegRipper is a tool to extract and analyze data from the registry.
- It is written by Perl
- RegRipper executes plugins to parse the registry an extract data.
Analysis of Registry files with RegRipper

- Download RegRipper, plugins and sample data on:


https://code.google.com/archive/p/regripper/downloads
- The plugins are Perl scripts that are contributed by the forensics community.
During your forensics case investigations, it extracting information from a
particular part of the registry frequently.
- We use available plugins
LAB

Prepare:
- Viturial Machine : Windows 2008
- 3 files including: Sample , plugins , rrv2.8. Download link is below:
https://code.google.com/archive/p/regripp er/downloads

RegRipper:
You need to unzip all 3 files above
Note*: if you want to start RegRipper software, you must first import the
plugins file.
There will be 2 ways to import:
- Method 1: You copy and paste directly into the file rrv2.8
- Method 2: In the file rrv2.8 there is a program named "pb" and there it
will display the interface window so that you can import the plugin's files.
And here we will conduct the analysis:
Analyst file Software:
First I will analyze the software file in Win 8
Note: when you analyze any file, you must choose its correct profile. For
example, if I am analyzing the file "software", I will choose the profile
"software"

First file: it is a log file that stores the analysis actions on the software file.
Second file: it's the result after an analysis process.

File log
In the second file, we can easily recognize the .exe files and its location in
Win 8

Analyst file SAM:


And next we will continue to analyze the SAM file in Windows 7. As you all
know, the SAM file is the file that stores the user's and group membership’s
password, inforamtion, etc …
Analyst file NTUSER.DAT:
And finally the file that I want to demo for you is the ntuser.dat file. This is
a setup file that configures the user's kernels or may include user accounts.

You might also like